Pernat1y сказал(а):
Откуда ивент идёт и в каком виде?
Вот в таком виде, а откуда к сожалению не могу сказать )
"svrt":3
"sess":0
"act":2
"t":4
"st":51
"time":"2022-02-10T06:35:36.261361200Z"
"rul":"20-343@BlockPowerShell"
"pid":15940
"ppid":19828
"app":"\Device\HarddiskVolume3\Windows\System32\Wi ndowsPowerShell\v1.0\powershell.exe"
"rf0":262144
"exclf":140737488355361
"uuid":"696c4d6c-1e48-01d8-472f-000000000000"
"dom":"NT AUTHORITY"
"usr":"СИСТЕМА"
"who":"\Device\HarddiskVolume3\Windows\System32\nt dll.dll"
"whotid":17640
"whoaddr":140707855034480
"whof":240526598156
"wdir":"C:\Windows\system32\"
"cmdl":"powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';"
"cmdlp":"C:\Windows\system32\CompatTelRunner.e xe -m:appraiser.dll -foScheduledTelemetryRun -cv:rFqUtNrzg0+poP0O.1"
"cmdlg":"C:\Windows\system32\compattelrunner.e xe"
"prot":0
"when":"2022-02-10T06:35:36.259694300Z"
"cpid":19828
"cpath":"\Device\HarddiskVolume3\Windows\System32\ CompatTelRunner.exe"
"sid":"S-1-5-18"
"imgf":140737488355361
"base":140699454275584
"isize":450560
"crtime":"2021-06-05T12:07:00.067985000Z"
"chtime":"2021-06-05T12:07:00.067985000Z"
"fsize":450560
"ftype":2
"attr":32
"sha1":"eee0b7e9fdb295ea97c5f2e7c7ba3ac7f40852 04"
"md5":"0e9ccd796e251916133392539572a374"
"sha256":"c7d4e119149a7150b7101a4bd9fffbf659fba76d 058f7bf6cc73c99fb36e8221"
"parent":"50ad084f-1e48-01d8-3b2f-000000000000"
"caller":"50ad084f-1e48-01d8-3b2f-000000000000"
"agent_id":"9cf5cfca29d171585ab6832c713cb87c79 "
"creation_time":"2022-02-10T06:35:37.384914"