F041MEDIUMSuspiciousvalidator: passed
PowerShell and Windows command-line lolbin execution batch (TA0002: Execution)
powershell.exe, cmd.exe, rundll32.exe, regsvr32.exe
Analyst narrative
AppCompatCache records execution of high-risk command-line tools: powershell.exe (both 32-bit and 64-bit), cmd.exe, rundll32.exe, regsvr32.exe, wmic.exe, sc.exe, schtasks.exe, vssadmin.exe. Pattern indicates scripted malware execution framework.
Claims asserted
pathpowershell.exerun_appcompatcacheparser
pathcmd.exerun_appcompatcacheparser
pathrundll32.exerun_appcompatcacheparser
pathregsvr32.exerun_appcompatcacheparser
user_accountspsql
Proof chain · 3 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
⌘registry persistence factreg:hklm/system/controlset001/control/safebootparse_registry_persistence›
registry persistence fact
reg:hklm/system/controlset001/control/safebootparse_registry_persistence
Raw tool output · 30b2ab7f41f054569b7ea21f9a1c37916940a363
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM", "hive_type": "SYSTEM", "registry_path": "HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot", "value_name": "AlternateShell", "value_data": "cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "safeboot", "control_set": "ControlSet001", "is_active_controlset": true, "user_profile": null, "last_write_time": "2013-08-22T14:48:12.482893+00:00", "evidence_type": "registry_persistence", "raw_excerpt": "{\"registry_path\": \"HKLM\\\⌘registry persistence factreg:hklm/system/controlset002/control/safebootparse_registry_persistence›
registry persistence fact
reg:hklm/system/controlset002/control/safebootparse_registry_persistence
Raw tool output · 9948f6168fae120638e00bb557a6a3ea2ed7be43
{"tool": "parse_registry_persistence", "source_hive": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM", "hive_type": "SYSTEM", "registry_path": "HKLM\\SYSTEM\\ControlSet002\\Control\\SafeBoot", "value_name": "AlternateShell", "value_data": "cmd.exe", "value_type": "REG_SZ", "value_data_truncated": false, "is_default": false, "persistence_type": "safeboot", "control_set": "ControlSet002", "is_active_controlset": false, "user_profile": null, "last_write_time": "2013-08-22T14:48:12.482893+00:00", "evidence_type": "registry_persistence", "raw_excerpt": "{\"registry_path\": \"HKLM\\⏱scheduled task facttask:microsoft/windows/ws/license validationparse_scheduled_tasks_disk›
scheduled task fact
task:microsoft/windows/ws/license validationparse_scheduled_tasks_disk
Raw tool output · 43a9d09bf04a78896fa9b98fe3a713af31ad4fba
{"tool": "parse_scheduled_tasks_disk", "source_path": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/Tasks/Microsoft/Windows/WS/License Validation", "task_path": "Microsoft/Windows/WS/License Validation", "task_name": "License Validation", "author": "$(@%SystemRoot%\\system32\\wsservice.dll,-120)", "user_id": "S-1-5-19", "description": "$(@%SystemRoot%\\system32\\wsservice.dll,-123)", "enabled": false, "hidden": true, "run_level": null, "logon_type": null, "triggers": [{"type": "TimeTrigger", "enabled": true, "start_boundary": "2004-01-02T06:00:00", "repetition": {"interval": "PT6H"}}], "acSource tools
run_appcompatcacheparser