Hello,

Exessive  number of offenses are being triggered from mittre attack framework process create. However, after checking the processes they does not seem to be malicous but they are running from a different directories.

Examples of the offenses and processes:

• Offense: MITRE.WIN.T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  preceded by MITRE.WIN.T1053.002 Scheduled Task/Job: At (Windows)
  preceded by MITRE.WIN.T1053.005 Scheduled Task/Job: Scheduled Task
  containing Success Audit: Permissions on an object were changed
  • Event Name: Process create
  • Parent Process Name:  Dism.exe
  • Parent Process Path: C:\Windows\System32\Dism.exe
  • Process Name: DismHost.exe
  • Process Path: C:\Windows\Temp\8DB99012-1553-4C04-A5F9-98EECF4CF786\DismHost.exe
  • Command: C:\Windows\TEMP\8DB99012-1553-4C04-A5F9-98EECF4CF786\dismhost.exe {DB05CF4A-43E9-453B-B9F3-78C4A42B9184}

Any recommendation on how to proceed with this offense. Shall i white list the process name or the process hash or format the PC.

Thanks,

E

------------------------------
Elie Sbat
------------------------------

Hi Elie, 

Just curios of offense description and it seemed from custom rules of MITRE Windows Integration App tactics by ScienceSoft. 

It's custom rule from 3rd party, so no details of rule information I have, but from your description, your offense was triggered at least 3 different CRE rules, and one event condition(Success Audit: Permission on an object changed) is included. 

To process them, I think we need to investigate CRE rules contributed to this offense first. 

------------------------------
Regards, 고맙습니다.
ByongJun "BJ" Na (나병준)
IBM Threat Management Consulting SME for APAC
IBM Certified Security Solution Advisor(실장/전문위원), CISSP, IBM Certified ADP
- You solve one problem, and you solve the next one, and then the next.
And if you solve enough problems, you get to come home. - From Martian -
Phone: 822-3781-4843 | Mobile: 82-10-4995-4843
E-mail: bjna@kr.ibm.com
------------------------------

Original Message:
Sent: Thu November 20, 2025 04:28 AM
From: Elie Sbat
Subject: offense triggered due to MITTRE ATT&CK events - Process Create

Hello,

Exessive  number of offenses are being triggered from mittre attack framework process create. However, after checking the processes they does not seem to be malicous but they are running from a different directories.

Examples of the offenses and processes:

• Offense: MITRE.WIN.T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  preceded by MITRE.WIN.T1053.002 Scheduled Task/Job: At (Windows)
  preceded by MITRE.WIN.T1053.005 Scheduled Task/Job: Scheduled Task
  containing Success Audit: Permissions on an object were changed
  • Event Name: Process create
  • Parent Process Name:  Dism.exe
  • Parent Process Path: C:\Windows\System32\Dism.exe
  • Process Name: DismHost.exe
  • Process Path: C:\Windows\Temp\8DB99012-1553-4C04-A5F9-98EECF4CF786\DismHost.exe
  • Command: C:\Windows\TEMP\8DB99012-1553-4C04-A5F9-98EECF4CF786\dismhost.exe {DB05CF4A-43E9-453B-B9F3-78C4A42B9184}

Any recommendation on how to proceed with this offense. Shall i white list the process name or the process hash or format the PC.

Thanks,

E

------------------------------
Elie Sbat
------------------------------

Hello Elie,

Dismhost.exe is a legitimate Windows process that is part of the Deployment Image Servicing and Management (DISM). It is responsible for hosting the DISM service, which is used to manage and service Windows images, including installing, uninstall and updating components, drivers, and packages. The process is typically launched by the Windows operating system and runs in the background to perform various system maintenance tasks. However, in the context of the offense details you provided earlier, the invocation of an executable file from the Temp folder, including potential dismhost.exe, may indicate malicious activity if it is not a legitimate system-initiated process.

I would recommend to ask your internal team or admin maybe who has been running this program scheduled and why if not... After that maybe this will support your decision how to tune this behavior..

Regards,

Ralph

------------------------------
Ralph Belfiore
Managing Consultant | CyberSecurity Strategy | SIEM & Data Resilience
connecT SYSTEMHAUS AG
Siegen
------------------------------

Original Message:
Sent: Thu November 20, 2025 04:28 AM
From: Elie Sbat
Subject: offense triggered due to MITTRE ATT&CK events - Process Create

Hello,

Exessive  number of offenses are being triggered from mittre attack framework process create. However, after checking the processes they does not seem to be malicous but they are running from a different directories.

Examples of the offenses and processes:

• Offense: MITRE.WIN.T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  preceded by MITRE.WIN.T1053.002 Scheduled Task/Job: At (Windows)
  preceded by MITRE.WIN.T1053.005 Scheduled Task/Job: Scheduled Task
  containing Success Audit: Permissions on an object were changed
  • Event Name: Process create
  • Parent Process Name:  Dism.exe
  • Parent Process Path: C:\Windows\System32\Dism.exe
  • Process Name: DismHost.exe
  • Process Path: C:\Windows\Temp\8DB99012-1553-4C04-A5F9-98EECF4CF786\DismHost.exe
  • Command: C:\Windows\TEMP\8DB99012-1553-4C04-A5F9-98EECF4CF786\dismhost.exe {DB05CF4A-43E9-453B-B9F3-78C4A42B9184}

Any recommendation on how to proceed with this offense. Shall i white list the process name or the process hash or format the PC.

Thanks,

E

------------------------------
Elie Sbat
------------------------------