Informational
Process Information
- File Name
powershell.exe- File Path
\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe- Command Line
-
"powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\AtomicRedTeam\atomic-random-runner-v2.ps1" -TestCount 3 -Silent - Process ID
27099548696- Parent PID
17216883392- SHA256
-
0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46VT - MD5
a97e6573b97b44c96122bfa543a82ea1- Disposition
-
0
Detection, standard detection.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 158019,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358465000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358403,
"ProcessEndTime": 0,
"ProcessId": 27099548696,
"ParentProcessId": 17216883392,
"Hostname": "BOOK-R0BE6S1NC3",
"UserName": "BOOK-R0BE6S1NC3$",
"Name": "Attacker Methodology",
"Description": "A suspicious process was identified by CrowdStrike. Review the process tree.",
"Severity": 10,
"SeverityName": "Informational",
"FileName": "powershell.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "\u0022powershell.exe\u0022 -ExecutionPolicy Bypass -WindowStyle Hidden -File \u0022C:\\AtomicRedTeam\\atomic-random-runner-v2.ps1\u0022 -TestCount 3 -Silent",
"SHA256String": "0ff6f2c94bc7e2833a5f7e16de1622e5dba70396f31c7d5f56381870317e8c46",
"MD5String": "a97e6573b97b44c96122bfa543a82ea1",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "WORKGROUP",
"FilesWritten": [
{
"Timestamp": 1766358404,
"FileName": "__PSScriptPolicyTest_oyzt0f0l.u22.ps1",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\SystemTemp"
}
],
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:27099548696-10417-3831312?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "024efd237c2d4f87958607652cb04c8b",
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:27099548696-10417-3831312",
"LocalIP": "172.27.1.19",
"MACAddress": "00-72-ee-3e-51-84",
"Tactic": "Execution",
"Technique": "User Execution",
"Objective": "Follow Through",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionValue": 0,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": false,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"PatternId": 10417,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:024efd237c2d4f87958607652cb04c8b:17577316374",
"Type": "ldt",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Execution",
"TacticID": "TA0002",
"Technique": "User Execution",
"TechniqueID": "T1204",
"PatternID": 10417
}
],
"CloudIndicator": false,
"RiskScore": 10
}
}