Hello,

Exessive  number of offenses are being triggered from mittre attack framework process create. However, after checking the processes they does not seem to be malicous but they are running from a different directories.

Examples of the offenses and processes:

• Offense: MITRE.WIN.T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  preceded by MITRE.WIN.T1053.002 Scheduled Task/Job: At (Windows)
  preceded by MITRE.WIN.T1053.005 Scheduled Task/Job: Scheduled Task
  containing Success Audit: Permissions on an object were changed
  • Event Name: Process create
  • Parent Process Name:  Dism.exe
  • Parent Process Path: C:\Windows\System32\Dism.exe
  • Process Name: DismHost.exe
  • Process Path: C:\Windows\Temp\8DB99012-1553-4C04-A5F9-98EECF4CF786\DismHost.exe
  • Command: C:\Windows\TEMP\8DB99012-1553-4C04-A5F9-98EECF4CF786\dismhost.exe {DB05CF4A-43E9-453B-B9F3-78C4A42B9184}

Any recommendation on how to proceed with this offense. Shall i white list the process name or the process hash or format the PC.

Thanks,

E