Global Security Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only
Back to discussions
Expand all | Collapse all

offense triggered due to MITTRE ATT&CK events - Process Create

  • 1.  offense triggered due to MITTRE ATT&CK events - Process Create

    Posted 12 hours ago

    Hello,

    Exessive  number of offenses are being triggered from mittre attack framework process create. However, after checking the processes they does not seem to be malicous but they are running from a different directories.

    Examples of the offenses and processes:

    • Offense: MITRE.WIN.T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
      preceded by MITRE.WIN.T1053.002 Scheduled Task/Job: At (Windows)
      preceded by MITRE.WIN.T1053.005 Scheduled Task/Job: Scheduled Task
      containing Success Audit: Permissions on an object were changed
      • Event Name: Process create
      • Parent Process Name:  Dism.exe
      • Parent Process Path: C:\Windows\System32\Dism.exe
      • Process Name: DismHost.exe
      • Process Path: C:\Windows\Temp\8DB99012-1553-4C04-A5F9-98EECF4CF786\DismHost.exe
      • Command: C:\Windows\TEMP\8DB99012-1553-4C04-A5F9-98EECF4CF786\dismhost.exe {DB05CF4A-43E9-453B-B9F3-78C4A42B9184}

    Any recommendation on how to proceed with this offense. Shall i white list the process name or the process hash or format the PC.

    Thanks,

    E



    ------------------------------
    Elie Sbat
    ------------------------------


Related Content