logs.log

2024-04-02 11:10:00,387 - file - DEBUG - Debug FILE -- App Started
2024-04-02 11:10:01,052 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-02 11:11:33,718 - file - DEBUG - mqtt -- msg received ***
2024-04-02 11:11:33,719 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 11:11:33,719 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "bed68f014ad34817b035856507751a20", "created": 1712070692572, "from": "OIF Orchestrator 2", "actuator_id": "bed68f014ad34817b035856507751a20"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-02 11:11:33,745 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-02 11:11:33,746 - kestrel.config - DEBUG - Loading default config file...
2024-04-02 11:11:33,770 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-02 11:11:33,770 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-02 11:11:33,770 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-02 11:11:33,772 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-00fe82cb-cd27-43b5-8e03-40d11eb7a3c0.
2024-04-02 11:11:35,384 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-02 11:11:37,378 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-02 11:11:37,378 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-02 11:11:37,410 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-02 11:11:37,410 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-02 11:11:38,161 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-02 11:11:38,175 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-02 11:11:38,176 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-02 11:11:38,236 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-02 11:11:40,132 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-02 11:11:40,132 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-02 11:11:40,171 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-02 11:11:40,172 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-02 11:11:41,799 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-02 11:11:41,799 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-02 11:11:41,807 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-02 11:11:42,071 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.14','172.16.1.13')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-02 11:11:42,121 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-02 11:11:43,982 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-02 11:11:43,982 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-02 11:11:44,011 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-02 11:11:44,012 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-02 11:11:45,026 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 11:11:45,026 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 11:11:45,027 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "bed68f014ad34817b035856507751a20", "created": 1712070705025, "from": "oif-device-priapus-1712070600366", "actuator_id": "bed68f014ad34817b035856507751a20"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-02 11:27:50,812 - file - DEBUG - mqtt -- msg received ***
2024-04-02 11:27:50,812 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 11:27:50,813 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a6c2d313211e4228a62fc13d646f6ff7", "created": 1712071669635, "from": "OIF Orchestrator 2", "actuator_id": "a6c2d313211e4228a62fc13d646f6ff7"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 11:30:44,660 - file - DEBUG - Debug FILE -- App Started
2024-04-02 11:30:45,410 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-02 11:30:59,122 - file - DEBUG - mqtt -- msg received ***
2024-04-02 11:30:59,123 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 11:30:59,123 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a9ca4320579a46c689458b3a5f4b6378", "created": 1712071857963, "from": "OIF Orchestrator 2", "actuator_id": "a9ca4320579a46c689458b3a5f4b6378"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 11:31:16,393 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 11:31:16,393 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 11:31:16,393 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a9ca4320579a46c689458b3a5f4b6378", "created": 1712071876389, "from": "oif-device-priapus-1712071844641", "actuator_id": "a9ca4320579a46c689458b3a5f4b6378"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:11:47,107 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:11:47,107 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:11:47,108 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e257d7378bff40068310dfbe145bcc13", "created": 1712077905985, "from": "OIF Orchestrator 2", "actuator_id": "e257d7378bff40068310dfbe145bcc13"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:11:51,836 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:11:51,836 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:11:51,836 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e257d7378bff40068310dfbe145bcc13", "created": 1712077911833, "from": "oif-device-priapus-1712071844641", "actuator_id": "e257d7378bff40068310dfbe145bcc13"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:17:59,866 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:17:59,867 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:17:59,867 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "129926d54baa41a2be2a1d2cacfb2339", "created": 1712078278740, "from": "OIF Orchestrator 2", "actuator_id": "129926d54baa41a2be2a1d2cacfb2339"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:17:59,889 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:17:59,890 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:17:59,890 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "129926d54baa41a2be2a1d2cacfb2339", "created": 1712078279888, "from": "oif-device-priapus-1712071844641", "actuator_id": "129926d54baa41a2be2a1d2cacfb2339"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:30:19,661 - file - DEBUG - Debug FILE -- App Started
2024-04-02 13:30:20,494 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-02 13:30:55,734 - file - DEBUG - Debug FILE -- App Started
2024-04-02 13:30:56,334 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-02 13:34:24,913 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:34:24,913 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:34:24,913 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "2de4d40f27634b04bda5b9349770f026", "created": 1712079259801, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:34:24,950 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:34:24,951 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:34:24,951 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "2de4d40f27634b04bda5b9349770f026", "created": 1712079264947, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:41:51,369 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:41:51,369 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:41:51,370 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "47004cedde8f47ca99fb2ba41dc80b2d", "created": 1712079710204, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:41:51,401 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:41:51,402 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:41:51,402 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "47004cedde8f47ca99fb2ba41dc80b2d", "created": 1712079711400, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:50:17,014 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:50:17,014 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:50:17,014 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "91b1ec72b8bc4a3aa4f9c347465aa181", "created": 1712080215831, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:50:17,043 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:50:17,043 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:50:17,044 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "91b1ec72b8bc4a3aa4f9c347465aa181", "created": 1712080217042, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 13:59:09,486 - file - DEBUG - mqtt -- msg received ***
2024-04-02 13:59:09,486 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 13:59:09,486 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "48ce7b565e114495b19ec412d833a25d", "created": 1712080748311, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 13:59:09,512 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 13:59:09,512 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 13:59:09,512 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "48ce7b565e114495b19ec412d833a25d", "created": 1712080749510, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:00:04,372 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:00:04,372 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:00:04,372 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b8a7452d5b754d9a8c12351ae473103e", "created": 1712080803231, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:00:04,420 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:00:04,420 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:00:04,421 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b8a7452d5b754d9a8c12351ae473103e", "created": 1712080804416, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:00:16,660 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:00:16,660 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:00:16,660 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b07cc5bc78ee41c2b5b6fd2b9f34032b", "created": 1712080815460, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:00:16,695 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:00:16,695 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:00:16,695 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b07cc5bc78ee41c2b5b6fd2b9f34032b", "created": 1712080816693, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:00:38,163 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:00:38,164 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:00:38,164 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "9f01fd3aa4154aa1ac09bede465a7f29", "created": 1712080836983, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:00:38,189 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:00:38,189 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:00:38,189 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "9f01fd3aa4154aa1ac09bede465a7f29", "created": 1712080838188, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:02:03,052 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:02:03,052 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:02:03,052 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "8e61090d378d4cbea5463fb969d3ad7e", "created": 1712080921900, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:02:03,084 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:02:03,084 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:02:03,084 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "8e61090d378d4cbea5463fb969d3ad7e", "created": 1712080923082, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:03:03,673 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:03:03,673 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:03:03,674 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "36393c3d3e3b4bdea48c469e818458a4", "created": 1712080982500, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:03:03,700 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:03:03,700 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:03:03,700 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "36393c3d3e3b4bdea48c469e818458a4", "created": 1712080983699, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:03:15,960 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:03:15,960 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:03:15,961 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "7d6b9417e0d044a9b515f29a31269250", "created": 1712080994795, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:03:15,988 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:03:15,989 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:03:15,989 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "7d6b9417e0d044a9b515f29a31269250", "created": 1712080995987, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:08:00,370 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:08:00,370 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:08:00,371 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c5c1f358e5e3460290ed9d9d3e6fde88", "created": 1712081279247, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:08:00,435 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:08:00,436 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:08:00,436 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c5c1f358e5e3460290ed9d9d3e6fde88", "created": 1712081280432, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:09:01,786 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:09:01,786 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:09:01,786 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "62cc443dc2d1412ea97031858a5553fa", "created": 1712081340667, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:09:01,821 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:09:01,821 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:09:01,822 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "62cc443dc2d1412ea97031858a5553fa", "created": 1712081341819, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:12:38,949 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:12:38,949 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:12:38,949 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "bda7585ff6c144a9b4a58b644492d2d6", "created": 1712081557824, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:12:38,990 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:12:38,990 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:12:38,990 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "bda7585ff6c144a9b4a58b644492d2d6", "created": 1712081558987, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:16:02,725 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:16:02,725 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:16:02,725 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "dd8ad97fe8c240d79ea0b9f93608cea8", "created": 1712081761523, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:16:02,760 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:16:02,760 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:16:02,761 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "dd8ad97fe8c240d79ea0b9f93608cea8", "created": 1712081762759, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:19:58,651 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:19:58,652 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:19:58,652 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "04d05efba3cf4dbd98205bd8e4ce2e59", "created": 1712081997499, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:19:58,684 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:19:58,684 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:19:58,684 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "04d05efba3cf4dbd98205bd8e4ce2e59", "created": 1712081998682, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:21:08,385 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:21:08,385 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:21:08,385 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "498103b2bbce434f95492553dccc61a1", "created": 1712082067160, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:21:08,419 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:21:08,419 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:21:08,419 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "498103b2bbce434f95492553dccc61a1", "created": 1712082068417, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:28:34,742 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:28:34,742 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:28:34,743 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "347fde4cc44f49c49f80085d318c578a", "created": 1712082502011, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:28:34,783 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:28:34,783 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:28:34,783 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "347fde4cc44f49c49f80085d318c578a", "created": 1712082514780, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:36:32,942 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:36:32,945 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:36:32,945 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "3a57704a60344e43b4cf10c5dbe5ac02", "created": 1712082991789, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:36:33,076 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:36:33,076 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:36:33,077 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "3a57704a60344e43b4cf10c5dbe5ac02", "created": 1712082993075, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:37:11,044 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:37:11,044 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:37:11,044 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "d1c5140c8e9e4d7187298339f4cfa7b0", "created": 1712083029922, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:37:11,073 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:37:11,073 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:37:11,073 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "d1c5140c8e9e4d7187298339f4cfa7b0", "created": 1712083031071, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:41:56,010 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:41:56,011 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:41:56,011 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "98440dad7c4f4251850985f63f02bfeb", "created": 1712083314816, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:41:56,043 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:41:56,043 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:41:56,043 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "98440dad7c4f4251850985f63f02bfeb", "created": 1712083316041, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 14:43:17,931 - file - DEBUG - mqtt -- msg received ***
2024-04-02 14:43:17,931 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 14:43:17,931 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "095513461a204422a9365e81e1ad526d", "created": 1712083396748, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 14:43:17,980 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 14:43:17,980 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 14:43:17,981 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "095513461a204422a9365e81e1ad526d", "created": 1712083397974, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:22:33,619 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:22:33,622 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:22:33,622 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "9ac52cf64d4a459690c8feb199937ef5", "created": 1712085752362, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:22:33,765 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:22:33,765 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:22:33,765 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "9ac52cf64d4a459690c8feb199937ef5", "created": 1712085753763, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:26:48,423 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:26:48,424 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:26:48,424 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b0f3e91fc0f647899c1b9c8fbb1a6375", "created": 1712086007298, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:26:48,460 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:26:48,461 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:26:48,461 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b0f3e91fc0f647899c1b9c8fbb1a6375", "created": 1712086008459, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:39:46,515 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:39:46,518 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:39:46,519 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "4f6440bdc4784daaa76f8765cd51260a", "created": 1712086785376, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:39:46,618 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:39:46,618 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:39:46,618 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "4f6440bdc4784daaa76f8765cd51260a", "created": 1712086786614, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:42:49,501 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:42:49,502 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:42:49,502 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "30d6fb92ad0e4a5f974d299ad6daf2f1", "created": 1712086968288, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:42:49,528 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:42:49,528 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:42:49,529 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "30d6fb92ad0e4a5f974d299ad6daf2f1", "created": 1712086969526, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:44:04,354 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:44:04,355 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:44:04,355 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "67cd1dd6f0e84c9693eae46d0564376f", "created": 1712087043154, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:44:04,388 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:44:04,388 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:44:04,389 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "67cd1dd6f0e84c9693eae46d0564376f", "created": 1712087044386, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:44:47,261 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:44:47,262 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:44:47,262 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "8465956b0b884be7b5a72c3efa52844b", "created": 1712087086027, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:44:47,305 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:44:47,305 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:44:47,305 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "8465956b0b884be7b5a72c3efa52844b", "created": 1712087087304, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:47:16,043 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:47:16,043 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:47:16,043 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e7a17e683d5e4faba284c109b39c999d", "created": 1712087234842, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:47:16,067 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:47:16,067 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:47:16,067 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e7a17e683d5e4faba284c109b39c999d", "created": 1712087236066, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 15:52:07,262 - file - DEBUG - mqtt -- msg received ***
2024-04-02 15:52:07,262 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 15:52:07,262 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "6c1bcabd57d846169a3ca93f821b9abf", "created": 1712087526122, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 15:52:07,297 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 15:52:07,297 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 15:52:07,298 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "6c1bcabd57d846169a3ca93f821b9abf", "created": 1712087527293, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:01:43,660 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:01:43,660 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:01:43,660 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e4b70f56ca284c48b1bc1669da915a18", "created": 1712088102448, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:01:43,683 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:01:43,683 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:01:43,683 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e4b70f56ca284c48b1bc1669da915a18", "created": 1712088103682, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:04:06,710 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:04:06,710 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:04:06,710 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0d3d07a2e71e4ccc877d223bbd8e3671", "created": 1712088245507, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:04:06,754 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:04:06,754 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:04:06,754 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0d3d07a2e71e4ccc877d223bbd8e3671", "created": 1712088246751, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:10:31,264 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:10:31,264 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:10:31,265 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "429c0f1e6525414396f352d851809a1f", "created": 1712088630143, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:10:31,309 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:10:31,309 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:10:31,309 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "429c0f1e6525414396f352d851809a1f", "created": 1712088631305, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:12:23,616 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:12:23,617 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:12:23,617 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "729fcfbb7c8546809dae3f1cc67c0e9e", "created": 1712088742488, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:12:23,647 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:12:23,647 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:12:23,648 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "729fcfbb7c8546809dae3f1cc67c0e9e", "created": 1712088743644, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:14:03,784 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:14:03,784 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:14:03,784 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1e6546c224634753994d32d2dc5ba8cf", "created": 1712088842663, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:14:03,835 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:14:03,836 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:14:03,836 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1e6546c224634753994d32d2dc5ba8cf", "created": 1712088843832, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:14:26,428 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:14:26,428 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:14:26,429 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b3dcf8ae7a814aac862ad90696fb4e76", "created": 1712088865308, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:14:26,485 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:14:26,487 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:14:26,488 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b3dcf8ae7a814aac862ad90696fb4e76", "created": 1712088866477, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:15:20,489 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:15:20,489 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:15:20,489 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b03c7612377842489f7cb97ae51c37c2", "created": 1712088919310, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:15:20,575 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:15:20,576 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:15:20,576 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b03c7612377842489f7cb97ae51c37c2", "created": 1712088920573, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:17:15,189 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:17:15,189 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:17:15,190 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c510885316bc4643ad989b50b251693d", "created": 1712089034057, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:17:15,233 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:17:15,233 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:17:15,233 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c510885316bc4643ad989b50b251693d", "created": 1712089035231, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-02 16:39:23,063 - file - DEBUG - mqtt -- msg received ***
2024-04-02 16:39:23,063 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-02 16:39:23,063 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a48442b5b59d49639ad0a80c6bd96506", "created": 1712090361936, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-02 16:39:23,111 - file - DEBUG - mqtt -- publishing msg ***
2024-04-02 16:39:23,111 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-02 16:39:23,112 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a48442b5b59d49639ad0a80c6bd96506", "created": 1712090363107, "from": "oif-device-priapus-1712079055710"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 14:51:24,185 - file - DEBUG - Debug FILE -- App Started
2024-04-03 14:51:24,573 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-03 14:51:42,787 - file - DEBUG - mqtt -- msg received ***
2024-04-03 14:51:42,787 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 14:51:42,787 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a60e50716184489eb22263f807b335e5", "created": 1712170301670, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 14:51:42,900 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 14:51:42,900 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 14:51:42,901 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a60e50716184489eb22263f807b335e5", "created": 1712170302897, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 14:52:20,698 - file - DEBUG - mqtt -- msg received ***
2024-04-03 14:52:20,698 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 14:52:20,698 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "cd48f8a75ac344f38a3d7e3e8f5857a0", "created": 1712170339579, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 14:52:20,754 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 14:52:20,755 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 14:52:20,755 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "cd48f8a75ac344f38a3d7e3e8f5857a0", "created": 1712170340751, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 14:53:04,033 - file - DEBUG - mqtt -- msg received ***
2024-04-03 14:53:04,033 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 14:53:04,033 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "064d896bb3c9483ab47dcbcb6b90172a", "created": 1712170382912, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 14:53:04,067 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 14:53:04,067 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 14:53:04,067 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "064d896bb3c9483ab47dcbcb6b90172a", "created": 1712170384062, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 14:59:46,870 - file - DEBUG - mqtt -- msg received ***
2024-04-03 14:59:46,870 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 14:59:46,870 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "d1012c714a634ca892a40fefe4d5ba01", "created": 1712170785754, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 14:59:46,966 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 14:59:46,967 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 14:59:46,967 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "d1012c714a634ca892a40fefe4d5ba01", "created": 1712170786965, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:09:37,762 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:09:37,762 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:09:37,762 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b1f52d739b864b98a54f163e71657b48", "created": 1712171376611, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:09:37,796 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:09:37,796 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:09:37,797 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b1f52d739b864b98a54f163e71657b48", "created": 1712171377795, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:12:05,629 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:12:05,629 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:12:05,629 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "9f8c281aa654446b94e6e40ddb935796", "created": 1712171524450, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:12:05,672 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:12:05,672 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:12:05,672 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "9f8c281aa654446b94e6e40ddb935796", "created": 1712171525669, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:14:16,982 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:14:16,983 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:14:16,983 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f30491cac5354b8aa72cfec634e7d159", "created": 1712171655867, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:14:17,012 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:14:17,013 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:14:17,013 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f30491cac5354b8aa72cfec634e7d159", "created": 1712171657010, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:14:17,792 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:14:17,792 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:14:17,792 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "d51d45e4-adcd-46b0-b595-35126b5d39a4", "from": "mqtt_tester-MacBook-Pro.local-1712171656561", "to": "test_receiver", "created": 1712171656562}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-03 15:14:17,823 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-03 15:14:17,825 - kestrel.config - DEBUG - Loading default config file...
2024-04-03 15:14:17,849 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-03 15:14:17,850 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-03 15:14:17,850 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-03 15:14:17,851 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-768d18b6-33a1-45fa-baa0-d064670c4d07.
2024-04-03 15:14:20,044 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:14:22,098 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:14:22,099 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-03 15:14:22,140 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:14:22,141 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:14:23,325 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-03 15:14:23,616 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-04T19:14:19.713Z' STOP t'2024-04-03T19:14:19.713Z'
2024-04-03 15:14:23,675 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:14:25,429 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:14:25,429 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-03 15:14:25,460 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:14:25,460 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:14:26,002 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-03 15:14:26,322 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-04T19:14:19.731Z' STOP t'2024-04-03T19:14:19.731Z'
2024-04-03 15:14:26,366 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:14:28,414 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:28,415 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:28,651 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:28,652 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:28,892 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:28,893 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:29,157 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:29,158 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:29,360 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:29,362 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:29,749 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:29,750 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:29,984 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:29,985 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:30,184 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:30,185 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:30,511 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:30,512 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:30,814 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:30,815 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:31,066 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:31,067 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:14:31,119 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:31,120 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-03 15:14:31,159 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:14:31,160 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:15:13,527 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:15:13,527 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:15:13,527 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "d51d45e4-adcd-46b0-b595-35126b5d39a4", "created": 1712171713521, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-03 15:15:39,031 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:15:39,031 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:15:39,031 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "77617443-d194-4994-8870-f419500d5469", "from": "mqtt_tester-MacBook-Pro.local-1712171738018", "to": "test_receiver", "created": 1712171738019}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-03 15:15:39,053 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-03 15:15:39,054 - kestrel.config - DEBUG - Loading default config file...
2024-04-03 15:15:39,087 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-03 15:15:39,087 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-03 15:15:39,088 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-03 15:15:39,089 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-dfbe7043-0bb9-4725-9d54-37027bff6502.
2024-04-03 15:15:40,005 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:15:41,797 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:15:41,798 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-03 15:15:41,841 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:15:41,841 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:15:43,484 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-03 15:15:43,815 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-04T19:15:39.952Z' STOP t'2024-04-03T19:15:39.952Z'
2024-04-03 15:15:43,858 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:15:45,585 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:15:45,586 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-03 15:15:45,612 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:15:45,613 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:15:46,190 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-03 15:15:46,452 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-04T19:15:39.953Z' STOP t'2024-04-03T19:15:39.953Z'
2024-04-03 15:15:46,491 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:15:48,396 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:48,397 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:48,738 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:48,739 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:48,953 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:48,954 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:49,182 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:49,183 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:49,376 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:49,377 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:49,610 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:49,611 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:49,891 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:49,892 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:50,186 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:50,187 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:50,461 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:50,462 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:50,730 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:50,731 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:51,102 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:51,103 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:15:51,159 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:51,160 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-03 15:15:51,201 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:15:51,201 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:16:36,018 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:16:36,018 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:16:36,018 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "77617443-d194-4994-8870-f419500d5469", "created": 1712171796008, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-03 15:17:45,396 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:17:45,396 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:17:45,396 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "3de6e3ebefef4da4a0b7aaf918415efd", "created": 1712171864167, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:17:45,433 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:17:45,433 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:17:45,433 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "3de6e3ebefef4da4a0b7aaf918415efd", "created": 1712171865431, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:22:47,372 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:22:47,373 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:22:47,373 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "39dd21288cd44d64ac35874b8da6b93e", "created": 1712172166163, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:22:47,417 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:22:47,418 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:22:47,418 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "39dd21288cd44d64ac35874b8da6b93e", "created": 1712172167416, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:25:31,131 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:25:31,131 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:25:31,132 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "78fe6366301d4726ac8224c6487a5bf8", "created": 1712172329900, "from": "oc2-orch2-MacBook-Pro.local"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-03 15:25:31,162 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:25:31,162 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:25:31,162 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "78fe6366301d4726ac8224c6487a5bf8", "created": 1712172331160, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-03 15:28:06,758 - file - DEBUG - mqtt -- msg received ***
2024-04-03 15:28:06,759 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-03 15:28:06,759 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f02b2bff770a495fa13190f69469802f", "created": 1712172485523, "from": "oc2-orch2-MacBook-Pro.local"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-03 15:28:06,775 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-03 15:28:06,776 - kestrel.config - DEBUG - Loading default config file...
2024-04-03 15:28:06,800 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-03 15:28:06,800 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-03 15:28:06,800 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-03 15:28:06,801 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-237c081a-004f-412f-88e9-1ea5d6159103.
2024-04-03 15:28:07,676 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:28:09,427 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:28:09,427 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-03 15:28:09,456 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-03 15:28:09,456 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:28:10,558 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-03 15:28:10,810 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-04T19:28:07.626Z' STOP t'2024-04-03T19:28:07.626Z'
2024-04-03 15:28:10,864 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:28:12,635 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:28:12,636 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-03 15:28:12,665 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-03 15:28:12,665 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:28:13,673 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-03 15:28:13,919 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-04T19:28:07.627Z' STOP t'2024-04-03T19:28:07.627Z'
2024-04-03 15:28:14,017 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-03 15:28:15,848 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:15,850 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:16,055 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:16,056 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:16,322 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:16,323 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:16,640 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:16,641 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:16,833 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:16,833 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:17,004 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:17,004 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:17,199 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:17,199 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:17,518 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:17,519 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:17,800 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:17,801 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:18,084 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:18,085 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:18,249 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:18,250 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-03 15:28:18,304 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:18,304 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-03 15:28:18,345 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-03 15:28:18,346 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-03 15:28:58,114 - file - DEBUG - mqtt -- publishing msg ***
2024-04-03 15:28:58,114 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-03 15:28:58,114 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f02b2bff770a495fa13190f69469802f", "created": 1712172538108, "from": "oif-device-priapus-1712170284143"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-04 10:22:49,892 - file - DEBUG - Debug FILE -- App Started
2024-04-04 10:22:50,460 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-04 11:27:21,308 - file - DEBUG - mqtt -- msg received ***
2024-04-04 11:27:21,311 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 11:27:21,311 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b22e48fce9e540e685e3b5fe92f62439", "created": 1712244440140, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 11:27:21,409 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 11:27:21,409 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 11:27:21,409 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b22e48fce9e540e685e3b5fe92f62439", "created": 1712244441403, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 11:42:48,042 - file - DEBUG - mqtt -- msg received ***
2024-04-04 11:42:48,042 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 11:42:48,042 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "61e04a01c2ea4582b2c8f9991c609d75", "created": 1712245366439, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 11:42:48,076 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 11:42:48,077 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 11:42:48,077 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "61e04a01c2ea4582b2c8f9991c609d75", "created": 1712245368073, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 11:44:26,111 - file - DEBUG - mqtt -- msg received ***
2024-04-04 11:44:26,111 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 11:44:26,111 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "09a01d42a98e4ed697c65b3b8dcd44a0", "created": 1712245464861, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 11:44:26,160 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 11:44:26,160 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 11:44:26,161 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "09a01d42a98e4ed697c65b3b8dcd44a0", "created": 1712245466155, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:04:37,300 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:04:37,305 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:04:37,305 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "bd072621313b4dd2879bfd4de287afcc", "created": 1712246676174, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:04:37,382 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:04:37,382 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:04:37,382 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "bd072621313b4dd2879bfd4de287afcc", "created": 1712246677380, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:05:40,083 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:05:40,083 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:05:40,083 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "02de2dca32b249a4b4a289c0883af8d8", "created": 1712246738846, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:05:40,110 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:05:40,110 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:05:40,110 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "02de2dca32b249a4b4a289c0883af8d8", "created": 1712246740108, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:10:30,569 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:10:30,570 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:10:30,570 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "3f49448c5f18447d92a098c99f854b1f", "created": 1712247029276, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:10:30,608 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:10:30,608 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:10:30,608 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "3f49448c5f18447d92a098c99f854b1f", "created": 1712247030605, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:13:22,913 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:13:22,913 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:13:22,913 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a570f680803643ce9ed870c647441a18", "created": 1712247201789, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:13:22,948 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:13:22,948 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:13:22,948 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a570f680803643ce9ed870c647441a18", "created": 1712247202946, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:14:19,221 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:14:19,221 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:14:19,221 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0ef8114ba34c432da4cfceac598a30fe", "created": 1712247258017, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:14:19,247 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:14:19,248 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:14:19,248 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0ef8114ba34c432da4cfceac598a30fe", "created": 1712247259245, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:18:22,506 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:18:22,506 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:18:22,507 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a5949a95633a4c53bf00bc3cd23e5c59", "created": 1712247501373, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:18:22,532 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:18:22,532 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:18:22,532 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a5949a95633a4c53bf00bc3cd23e5c59", "created": 1712247502530, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:19:50,766 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:19:50,766 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:19:50,766 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "35b4c6efb1214a8289bcae9ca6115564", "created": 1712247589641, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:19:50,794 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:19:50,794 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:19:50,794 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "35b4c6efb1214a8289bcae9ca6115564", "created": 1712247590792, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:20:19,069 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:20:19,069 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:20:19,069 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "ea85ec3c44064c599fa66e338f1eb452", "created": 1712247617943, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:20:19,109 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:20:19,110 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:20:19,111 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "ea85ec3c44064c599fa66e338f1eb452", "created": 1712247619104, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 12:20:30,626 - file - DEBUG - mqtt -- msg received ***
2024-04-04 12:20:30,627 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 12:20:30,627 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "5101923288db4c98957f78321d1f6570", "created": 1712247629428, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 12:20:30,657 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 12:20:30,657 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 12:20:30,658 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "5101923288db4c98957f78321d1f6570", "created": 1712247630656, "from": "oif-device-priapus-1712240569872"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 14:03:16,444 - file - DEBUG - Debug FILE -- App Started
2024-04-04 14:03:16,976 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-04 14:04:21,926 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:04:21,926 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:04:21,926 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f422c7d1511b4e539b30b6d541a8cf25", "created": 1712253858626, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 14:04:21,954 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:04:21,954 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:04:21,954 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f422c7d1511b4e539b30b6d541a8cf25", "created": 1712253861950, "from": "oif-device-priapus-1712253796415"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 14:11:19,101 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:11:19,101 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:11:19,101 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "4c73e178f80b4bcdb9f6e50768263fb0", "created": 1712254275791, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 14:11:19,129 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:11:19,129 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:11:19,129 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "4c73e178f80b4bcdb9f6e50768263fb0", "created": 1712254279126, "from": "oif-device-priapus-1712253796415"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 14:12:44,652 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:12:44,652 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:12:44,652 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1fc1c6e39b064a6596311db1186281d9", "created": 1712254361418, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-04 14:12:44,682 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-04 14:12:44,683 - kestrel.config - DEBUG - Loading default config file...
2024-04-04 14:12:44,720 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-04 14:12:44,720 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-04 14:12:44,721 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-04 14:12:44,722 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-8dbfb9cd-1e76-4f89-a80e-7f99b478ad76.
2024-04-04 14:12:47,871 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:12:50,793 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:12:50,795 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-04 14:12:50,932 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:12:50,934 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:12:52,960 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-04 14:12:53,512 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-05T18:12:47.414Z' STOP t'2024-04-04T18:12:47.414Z'
2024-04-04 14:12:53,580 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:12:55,484 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:12:55,484 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-04 14:12:55,579 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:12:55,584 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:12:56,877 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-04 14:12:57,523 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-05T18:12:47.437Z' STOP t'2024-04-04T18:12:47.437Z'
2024-04-04 14:12:57,622 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:13:00,328 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:00,330 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:00,947 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:00,949 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:01,423 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:01,425 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:01,863 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:01,864 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:02,290 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:02,298 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:02,816 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:02,818 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:03,273 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:03,275 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:03,730 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:03,732 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:04,226 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:04,228 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:04,854 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:04,856 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:05,226 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:05,228 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:13:05,332 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:05,332 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-04 14:13:05,457 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:13:05,458 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:14:05,108 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:14:05,109 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:14:05,109 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1fc1c6e39b064a6596311db1186281d9", "created": 1712254445101, "from": "oif-device-priapus-1712253796415"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-04 14:48:19,796 - file - DEBUG - Debug FILE -- App Started
2024-04-04 14:48:20,324 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-04 14:48:36,235 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:48:36,236 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:48:36,236 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "39992875d19a4556ac91984032310436", "created": 1712256513062, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-04 14:48:36,273 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-04 14:48:36,274 - kestrel.config - DEBUG - Loading default config file...
2024-04-04 14:48:36,301 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-04 14:48:36,301 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-04 14:48:36,302 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-04 14:48:36,303 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-87521482-7cbc-4604-abe2-f24731b20c58.
2024-04-04 14:48:37,853 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:48:39,726 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:48:39,726 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-04 14:48:39,768 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:48:39,768 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:48:41,610 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-04 14:48:41,948 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-05T18:48:37.675Z' STOP t'2024-04-04T18:48:37.675Z'
2024-04-04 14:48:41,993 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:48:43,742 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:48:43,742 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-04 14:48:43,772 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:48:43,773 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:48:44,381 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-04 14:48:44,645 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-05T18:48:37.684Z' STOP t'2024-04-04T18:48:37.684Z'
2024-04-04 14:48:44,690 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:48:46,606 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:46,607 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:46,900 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:46,901 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:47,141 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:47,142 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:47,383 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:47,384 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:47,579 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:47,580 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:47,823 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:47,824 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:48,014 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:48,015 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:48,206 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:48,207 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:48,418 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:48,418 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:48,768 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:48,769 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:48,958 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:48,960 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:48:49,010 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:49,011 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-04 14:48:49,057 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:48:49,058 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:49:30,153 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:49:30,153 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:49:30,153 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "39992875d19a4556ac91984032310436", "created": 1712256570146, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-04 14:50:35,930 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:50:35,930 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:50:35,930 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "39030e2a92174b99a3b07356454b2568", "created": 1712256632764, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-04 14:50:35,947 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-04 14:50:35,948 - kestrel.config - DEBUG - Loading default config file...
2024-04-04 14:50:35,971 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-04 14:50:35,971 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-04 14:50:35,972 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-04 14:50:35,974 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-1b7a704a-c8ef-431b-a501-a2cf73fd10db.
2024-04-04 14:50:36,823 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:50:38,645 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:50:38,645 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-04 14:50:38,702 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-04 14:50:38,713 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:50:39,780 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-04 14:50:40,105 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-05T18:50:36.773Z' STOP t'2024-04-04T18:50:36.773Z'
2024-04-04 14:50:40,145 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:50:41,896 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:50:41,896 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-04 14:50:41,927 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-04 14:50:41,927 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:50:43,494 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-04 14:50:43,794 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-05T18:50:36.774Z' STOP t'2024-04-04T18:50:36.774Z'
2024-04-04 14:50:43,838 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-04 14:50:45,746 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:45,748 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:46,046 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:46,047 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:46,244 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:46,246 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:46,467 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:46,468 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:46,736 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:46,737 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:47,021 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:47,023 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:47,286 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:47,287 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:47,578 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:47,579 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:47,812 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:47,814 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:48,063 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:48,064 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:48,334 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:48,335 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-04 14:50:48,383 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:48,383 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-04 14:50:48,415 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-04 14:50:48,416 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-04 14:51:28,720 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:51:28,720 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:51:28,720 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "39030e2a92174b99a3b07356454b2568", "created": 1712256688713, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-04 14:54:11,869 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:54:11,869 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:54:11,869 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "98e8a362640b43e2957f2ad6f21cd8d3", "created": 1712256848706, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": "datasources"}}}}}
2024-04-04 14:54:11,882 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:54:11,882 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:54:11,882 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "98e8a362640b43e2957f2ad6f21cd8d3", "created": 1712256851881, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-04 14:55:46,158 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:55:46,158 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:55:46,159 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1de8234dda3645b89d9ec7ec13ce7a28", "created": 1712256942982, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 14:55:46,193 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:55:46,193 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:55:46,193 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1de8234dda3645b89d9ec7ec13ce7a28", "created": 1712256946191, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 14:56:47,927 - file - DEBUG - mqtt -- msg received ***
2024-04-04 14:56:47,927 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 14:56:47,927 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "caf365209bdf485cbd76c4cd3a42facd", "created": 1712257004770, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 14:56:47,955 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 14:56:47,955 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 14:56:47,956 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "caf365209bdf485cbd76c4cd3a42facd", "created": 1712257007954, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 15:48:23,460 - file - DEBUG - mqtt -- msg received ***
2024-04-04 15:48:23,460 - file - DEBUG - mqtt -- topic: oc2/cmd/test
2024-04-04 15:48:23,461 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b6f12ab0f2b84f45a4020f1d4de61a35", "created": 1712260100301, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-04 15:48:23,502 - file - DEBUG - mqtt -- publishing msg ***
2024-04-04 15:48:23,502 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-04 15:48:23,502 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b6f12ab0f2b84f45a4020f1d4de61a35", "created": 1712260103496, "from": "oif-device-priapus-1712256499769"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-04 16:29:21,378 - file - DEBUG - Debug FILE -- App Started
2024-04-04 16:29:21,907 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 09:40:49,555 - file - DEBUG - Debug FILE -- App Started
2024-04-05 09:40:53,184 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 11:20:24,458 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:20:24,463 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:20:24,463 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "ee03bd8d-61d2-4340-a5ba-e5d8448afb85", "from": "mqtt_tester_2e131d76-65e0-4fd9-ab21-a30a7223791d", "to": "test_receiver", "created": 1712330423701, "actuator_id": "8144acd3-f5d6-4bda-b1bd-a964f4a19677"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 11:20:24,488 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 11:20:24,489 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 11:20:24,510 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 11:20:24,510 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 11:20:24,510 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 11:20:24,511 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-f7be2a7c-ee79-4f2d-969b-032b47507bfd.
2024-04-05 11:20:26,221 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:20:28,040 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 11:20:28,041 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-05 11:20:28,073 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 11:20:28,073 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:20:29,250 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 11:20:29,263 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-05 11:20:29,263 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 11:20:29,324 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:20:30,972 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-05 11:20:30,972 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-05 11:20:30,998 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-05 11:20:30,998 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:20:32,204 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-05 11:20:32,204 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 11:20:32,212 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-05 11:20:32,445 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.13','172.16.1.14')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-05 11:20:32,483 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:20:34,131 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-05 11:20:34,131 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-05 11:20:34,160 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-05 11:20:34,160 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:20:35,613 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:20:35,614 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:20:35,614 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "ee03bd8d-61d2-4340-a5ba-e5d8448afb85", "created": 1712330435612, "from": "oif-device-priapus-1712324449534"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-05 11:20:52,634 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:20:52,634 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:20:52,634 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "7305b098-e10e-41b1-9e55-14dbc89c9802", "from": "mqtt_tester_c0ed3710-9907-4961-b33c-eb5f492f4e4d", "to": "test_receiver", "created": 1712330451647, "actuator_id": "8144acd3-f5d6-4bda-b1bd-a964f4a19677"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 11:20:52,734 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:20:52,734 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:20:52,734 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "7305b098-e10e-41b1-9e55-14dbc89c9802", "created": 1712330452732, "from": "oif-device-priapus-1712324449534"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 11:26:41,938 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:26:41,938 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:26:41,938 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "2208e4d6c4d24daa9632e5fc9ee2a617", "created": 1712330797444, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 11:26:41,977 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:26:41,978 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:26:41,978 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "2208e4d6c4d24daa9632e5fc9ee2a617", "created": 1712330801975, "from": "oif-device-priapus-1712324449534"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 11:28:51,755 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:28:51,755 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:28:51,756 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "26e92146e88541e5b4d1b13930d9f721", "created": 1712330927223, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 11:28:51,785 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:28:51,786 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:28:51,786 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "26e92146e88541e5b4d1b13930d9f721", "created": 1712330931780, "from": "oif-device-priapus-1712324449534"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 11:29:48,183 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:29:48,184 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:29:48,184 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a870f8af43f84230b012eb49b7ca680f", "created": 1712330983593, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 11:29:48,202 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 11:29:48,203 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 11:29:48,225 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 11:29:48,225 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 11:29:48,226 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 11:29:48,227 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-15435d80-9eeb-42d8-8de1-1ce1fa49591f.
2024-04-05 11:29:48,983 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:29:51,008 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 11:29:51,008 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 11:29:51,051 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 11:29:51,051 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:29:52,817 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 11:29:53,091 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-06T15:29:48.930Z' STOP t'2024-04-05T15:29:48.930Z'
2024-04-05 11:29:53,135 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:29:54,825 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 11:29:54,825 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 11:29:54,861 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 11:29:54,862 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:29:56,221 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 11:29:56,456 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-06T15:29:48.931Z' STOP t'2024-04-05T15:29:48.931Z'
2024-04-05 11:29:56,494 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 11:29:58,302 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:58,303 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:58,595 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:58,596 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:58,836 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:58,838 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:59,057 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:59,058 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:59,229 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:59,230 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:59,454 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:59,455 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:59,624 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:59,625 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:29:59,810 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:29:59,811 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:30:00,003 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:30:00,004 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 11:30:00,078 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:30:00,079 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 470
2024-04-05 11:30:00,133 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 11:30:00,134 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 11:30:30,040 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:30:30,040 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:30:30,040 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a870f8af43f84230b012eb49b7ca680f", "created": 1712331030034, "from": "oif-device-priapus-1712324449534"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 11:35:20,899 - file - DEBUG - Debug FILE -- App Started
2024-04-05 11:35:21,440 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 11:43:57,804 - file - DEBUG - mqtt -- msg received ***
2024-04-05 11:43:57,804 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 11:43:57,804 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e4343a0831c94e9888e17afd438152b2", "created": 1712331833280, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 11:43:57,830 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 11:43:57,830 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 11:43:57,830 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e4343a0831c94e9888e17afd438152b2", "created": 1712331837828, "from": "oif-device-priapus-1712331320880"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 12:37:05,257 - file - DEBUG - mqtt -- msg received ***
2024-04-05 12:37:05,257 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 12:37:05,257 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "cf56a54c14624d3c9bce47495536b12e", "created": 1712335020765, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 12:37:05,282 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 12:37:05,282 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 12:37:05,282 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "cf56a54c14624d3c9bce47495536b12e", "created": 1712335025279, "from": "oif-device-priapus-1712331320880"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 12:37:17,632 - file - DEBUG - mqtt -- msg received ***
2024-04-05 12:37:17,632 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 12:37:17,632 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "79493e74d4b8437984895167c37fed19", "created": 1712335033117, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 12:37:17,654 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 12:37:17,654 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 12:37:17,655 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "79493e74d4b8437984895167c37fed19", "created": 1712335037652, "from": "oif-device-priapus-1712331320880"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 12:38:34,842 - file - DEBUG - mqtt -- msg received ***
2024-04-05 12:38:34,843 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 12:38:34,843 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a368b08136cd4e05bf5bcfb702f5b05d", "created": 1712335110280, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 12:38:34,863 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 12:38:34,864 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 12:38:34,884 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 12:38:34,884 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 12:38:34,884 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 12:38:34,885 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-b94a3b20-482c-4100-b5f9-a676e8b6b72b.
2024-04-05 12:38:36,115 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 12:38:37,922 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 12:38:37,922 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 12:38:37,956 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 12:38:37,956 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 12:38:39,093 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 12:38:39,365 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-06T16:38:35.959Z' STOP t'2024-04-05T16:38:35.959Z'
2024-04-05 12:38:39,408 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 12:38:41,075 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 12:38:41,075 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 12:38:41,102 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 12:38:41,103 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 12:38:42,469 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 12:38:42,699 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-06T16:38:35.967Z' STOP t'2024-04-05T16:38:35.967Z'
2024-04-05 12:38:42,737 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 12:38:44,516 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:44,517 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:44,817 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:44,818 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:45,064 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:45,065 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:45,258 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:45,259 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:45,490 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:45,491 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:45,742 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:45,743 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:45,907 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:45,908 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 12:38:46,024 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:46,024 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 846
2024-04-05 12:38:46,059 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 12:38:46,060 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 12:39:08,728 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 12:39:08,728 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 12:39:08,728 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a368b08136cd4e05bf5bcfb702f5b05d", "created": 1712335148722, "from": "oif-device-priapus-1712331320880"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 13:34:59,738 - file - DEBUG - Debug FILE -- App Started
2024-04-05 13:35:00,532 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 13:36:26,020 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:36:26,020 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:36:26,021 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "3e566b64-753d-4ac9-a2c9-90b2d552a750", "from": "mqtt_tester-priapus-1712338585179", "to": "test_receiver", "created": 1712338585180}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 13:36:26,047 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:36:26,048 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:36:26,067 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:36:26,067 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:36:26,067 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:36:26,069 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-256941b1-f530-4c30-9100-2928880ab50f.
2024-04-05 13:36:27,427 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:36:29,261 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 13:36:29,261 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 13:36:29,294 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 13:36:29,294 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:36:30,291 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 13:36:30,567 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-06T17:36:27.265Z' STOP t'2024-04-05T17:36:27.265Z'
2024-04-05 13:36:30,604 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:36:32,334 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:36:32,335 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 13:36:32,359 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:36:32,359 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:36:32,919 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 13:36:33,154 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-06T17:36:27.273Z' STOP t'2024-04-05T17:36:27.273Z'
2024-04-05 13:36:33,192 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:36:34,958 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:34,959 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:36:35,201 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,202 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:36:35,382 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,383 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:36:35,556 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,558 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:36:35,730 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,731 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:36:35,880 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,880 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 809
2024-04-05 13:36:35,916 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:36:35,916 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:36:53,402 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:36:53,402 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:36:53,402 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "3e566b64-753d-4ac9-a2c9-90b2d552a750", "created": 1712338613396, "from": "oif-device-priapus-1712338499720"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 13:40:10,497 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:40:10,497 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:40:10,497 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "947cf43170354c5c94208217e45d5094", "created": 1712338806123, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 13:40:10,534 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:40:10,534 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:40:10,534 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "947cf43170354c5c94208217e45d5094", "created": 1712338810531, "from": "oif-device-priapus-1712338499720"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 13:40:36,814 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:40:36,814 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:40:36,814 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0423daa2d91b4c6087a088989254bf2d", "created": 1712338832411, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 13:40:36,831 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:40:36,832 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:40:36,853 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:40:36,853 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:40:36,853 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:40:36,856 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-2c9f2fca-c4d1-4705-9ae6-7eb3d5b3167e.
2024-04-05 13:40:37,774 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:40:39,629 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 13:40:39,629 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 13:40:39,669 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 13:40:39,670 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:40:40,325 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 13:40:40,599 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-06T17:40:37.715Z' STOP t'2024-04-05T17:40:37.715Z'
2024-04-05 13:40:40,637 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:40:42,576 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:40:42,577 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 13:40:42,625 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:40:42,625 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:40:43,716 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 13:40:43,982 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-06T17:40:37.717Z' STOP t'2024-04-05T17:40:37.717Z'
2024-04-05 13:40:44,035 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:40:46,019 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:46,020 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:40:46,247 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:46,248 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:40:46,540 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:46,541 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:40:46,825 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:46,826 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:40:47,148 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:47,150 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 13:40:47,280 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:47,281 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 617
2024-04-05 13:40:47,329 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 13:40:47,329 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:41:11,630 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:41:11,630 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:41:11,631 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0423daa2d91b4c6087a088989254bf2d", "created": 1712338871624, "from": "oif-device-priapus-1712338499720"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 13:41:55,764 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:41:55,765 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:41:55,765 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "cc5c756e272b49d289b205caca3ee22a", "created": 1712338911327, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 13:41:55,784 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:41:55,785 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:41:55,805 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:41:55,805 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:41:55,805 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:41:55,808 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-9553b090-5677-42cd-9723-de4ce5da35c6.
2024-04-05 13:41:56,842 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:41:58,669 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:41:58,670 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 13:41:58,699 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:41:58,700 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:41:59,961 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:41:59,979 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 13:42:00,341 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T17:41:56.720Z' STOP t'2024-04-05T17:41:56.720Z'
2024-04-05 13:42:00,391 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:42:02,322 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 13:42:02,322 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 13:42:02,353 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 13:42:02,354 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:42:03,540 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 13:42:03,891 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T17:41:56.720Z' STOP t'2024-04-05T17:41:56.720Z'
2024-04-05 13:42:03,970 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:42:05,819 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 13:42:05,820 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 13:42:05,868 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 13:42:05,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:42:07,329 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:42:07,394 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:42:07,394 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:42:07,394 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "cc5c756e272b49d289b205caca3ee22a", "created": 1712338927385, "from": "oif-device-priapus-1712338499720"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "badidea.exe", "pid": 3096, "x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "cwd": null, "x_window_title": null, "binary_ref.name": "badidea.exe", "binary_ref.id": "file--6a71f773-5872-5930-8d53-a096a154b28f", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Users\\Public", "binary_ref.parent_directory_ref.id": "directory--9cbb5121-7a48-5719-8f2f-170809992f9b", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-05 13:47:25,937 - file - DEBUG - Debug FILE -- App Started
2024-04-05 13:47:26,538 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 13:48:11,258 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:48:11,258 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:48:11,258 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "6298e5e2fb4d4e8d8047b3abb10985d6", "created": 1712339286814, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 13:48:11,291 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:48:11,292 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:48:11,314 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:48:11,314 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:48:11,314 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:48:11,315 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-18232d84-2f9b-4f33-a36b-c09c77d43738.
2024-04-05 13:48:12,884 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:48:14,691 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:48:14,691 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 13:48:14,720 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 13:48:14,720 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:48:16,392 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:48:16,402 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 13:48:16,742 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T17:48:12.674Z' STOP t'2024-04-05T17:48:12.674Z'
2024-04-05 13:48:16,801 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:48:18,593 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 13:48:18,594 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 13:48:18,629 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 13:48:18,630 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:48:19,582 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 13:48:19,843 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T17:48:12.674Z' STOP t'2024-04-05T17:48:12.674Z'
2024-04-05 13:48:19,885 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:48:21,628 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 13:48:21,629 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 13:48:21,656 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 13:48:21,656 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:48:22,716 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:48:22,737 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-05 13:48:23,023 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}')] START t'2024-03-06T17:48:12.687Z' STOP t'2024-04-05T17:48:12.687Z'
2024-04-05 13:48:23,082 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:48:25,001 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:48:25,002 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 13:48:25,045 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:48:25,046 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:48:26,474 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-05 13:48:26,810 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('shutdown.exe','conhost.exe','cmd.exe','netsh.exe')] START t'2024-03-06T18:55:41.097Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-05 13:48:26,869 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:48:28,649 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 13:48:28,670 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 55
2024-04-05 13:48:28,734 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 13:48:28,734 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:48:29,832 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:48:29,832 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:48:29,832 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "6298e5e2fb4d4e8d8047b3abb10985d6", "created": 1712339309822, "from": "oif-device-priapus-1712339245906"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "shutdown.exe", "id": "file--69aa4237-8e09-5842-bbba-456c3ad11bec", "hashes.'SHA-256'": "d4e68cc9cb1965d70134c68bd1a090e0afae5b8b3d8018c6b6564852ae7bf396", "hashes.MD5": "f2a4e18da72bb2c5b21076a5de382a20", "parent_directory_ref.path": "C:\\Windows\\System32", "parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "type": "file"}}}}}}
2024-04-05 13:50:04,007 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:50:04,007 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:50:04,007 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "4046f1e4620042d291b52121d25dcc76", "created": 1712339399651, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 13:50:04,034 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:50:04,038 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:50:04,077 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:50:04,078 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:50:04,078 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:50:04,079 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-98c53258-3798-41b5-820c-acbce5401d84.
2024-04-05 13:50:05,006 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:50:06,846 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:50:06,847 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 13:50:06,884 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:50:06,884 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:50:08,487 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:50:08,503 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:50:08,503 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:50:08,503 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "4046f1e4620042d291b52121d25dcc76", "created": 1712339408503, "from": "oif-device-priapus-1712339245906"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 154, in process_oc2_msg\n    work_result = hunt_via_file_j2(hunt_path, hunt_args)\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 13:53:12,158 - file - DEBUG - Debug FILE -- App Started
2024-04-05 13:53:12,848 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 13:55:02,309 - file - DEBUG - mqtt -- msg received ***
2024-04-05 13:55:02,309 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 13:55:02,310 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f8f06844567b4c0caec932d4d9145592", "created": 1712339697927, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 13:55:35,781 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 13:55:35,783 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 13:55:35,846 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 13:55:35,847 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 13:55:35,847 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 13:55:35,849 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-f45f7793-5d8c-4c23-8001-72f3cc015985.
2024-04-05 13:55:39,684 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 13:55:41,698 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:55:41,698 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 13:55:41,732 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 13:55:41,733 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 13:55:43,579 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 13:57:08,000 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 13:57:08,000 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 13:57:08,000 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f8f06844567b4c0caec932d4d9145592", "created": 1712339827998, "from": "oif-device-priapus-1712339592137"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 154, in process_oc2_msg\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 14:31:40,842 - file - DEBUG - Debug FILE -- App Started
2024-04-05 14:31:41,585 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 14:32:11,685 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:32:11,685 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:32:11,686 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f504a6cc21b74f9ca233255c692cd067", "created": 1712341927526, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 14:32:24,510 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:32:24,512 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:32:24,583 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:32:24,584 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:32:24,584 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:32:24,587 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-47c2cd81-6413-477c-99d7-db0d93cf7860.
2024-04-05 14:32:30,822 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:32:33,165 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:32:33,166 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 14:32:33,195 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:32:33,196 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:32:34,880 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:32:34,896 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 14:32:35,659 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T18:32:30.272Z' STOP t'2024-04-05T18:32:30.272Z'
2024-04-05 14:32:35,787 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:32:38,101 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:32:38,101 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 14:32:38,136 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:32:38,136 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:32:38,913 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 14:32:39,712 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T18:32:30.274Z' STOP t'2024-04-05T18:32:30.274Z'
2024-04-05 14:32:39,852 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:32:42,149 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 14:32:42,149 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 14:32:42,182 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 14:32:42,183 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:32:42,904 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:32:46,342 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:32:46,342 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:32:46,342 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f504a6cc21b74f9ca233255c692cd067", "created": 1712341966324, "from": "oif-device-priapus-1712341900813"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "badidea.exe", "pid": 3096, "x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "cwd": null, "x_window_title": null, "binary_ref.name": "badidea.exe", "binary_ref.id": "file--6a71f773-5872-5930-8d53-a096a154b28f", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Users\\Public", "binary_ref.parent_directory_ref.id": "directory--9cbb5121-7a48-5719-8f2f-170809992f9b", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-05 14:36:28,712 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:36:28,712 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:36:28,713 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b9437ff625ab4a588adbc24f6433401e", "created": 1712342184576, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 14:36:37,209 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:36:37,211 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:36:37,292 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:36:37,292 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:36:37,293 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:36:37,295 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-a509e6ba-d350-4908-bce9-67679a1ab148.
2024-04-05 14:36:40,154 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:36:42,325 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:36:42,325 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 14:36:42,358 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:36:42,358 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:36:43,819 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:36:43,843 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 14:36:44,576 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T18:36:39.817Z' STOP t'2024-04-05T18:36:39.817Z'
2024-04-05 14:36:44,700 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:36:46,854 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:36:46,855 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 14:36:46,887 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:36:46,887 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:36:47,550 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 14:36:48,264 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T18:36:39.820Z' STOP t'2024-04-05T18:36:39.820Z'
2024-04-05 14:36:48,391 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:36:50,702 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 14:36:50,703 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 14:36:50,739 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 14:36:50,740 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:36:52,059 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:36:52,089 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-05 14:36:52,913 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}')] START t'2024-03-06T18:36:39.834Z' STOP t'2024-04-05T18:36:39.834Z'
2024-04-05 14:36:53,046 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:36:55,217 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:36:55,217 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 14:36:55,246 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:36:55,247 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:36:55,906 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-05 14:36:56,634 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('netsh.exe','cmd.exe','conhost.exe','shutdown.exe')] START t'2024-03-06T18:55:41.097Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-05 14:36:56,770 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:36:58,934 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 14:36:58,935 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 55
2024-04-05 14:36:58,965 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 14:36:58,965 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:37:19,435 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:37:19,435 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:37:19,435 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b9437ff625ab4a588adbc24f6433401e", "created": 1712342239423, "from": "oif-device-priapus-1712341900813"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "shutdown.exe", "id": "file--69aa4237-8e09-5842-bbba-456c3ad11bec", "hashes.'SHA-256'": "d4e68cc9cb1965d70134c68bd1a090e0afae5b8b3d8018c6b6564852ae7bf396", "hashes.MD5": "f2a4e18da72bb2c5b21076a5de382a20", "parent_directory_ref.path": "C:\\Windows\\System32", "parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "type": "file"}}}}}}
2024-04-05 14:46:01,259 - file - DEBUG - Debug FILE -- App Started
2024-04-05 14:46:01,958 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 14:47:36,266 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:47:36,266 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:47:36,267 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "70782664a37c470090f722bb2245959d", "created": 1712342852226, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 14:47:39,795 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:47:39,795 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:47:39,818 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:47:39,818 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:47:39,818 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:47:39,819 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-b355b2fd-e725-45de-88d1-2ac83d2fdd67.
2024-04-05 14:47:41,272 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:47:43,325 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 14:47:43,325 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 14:47:43,361 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 14:47:43,362 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:47:44,901 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 14:47:45,162 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-03-06T18:47:41.107Z' STOP t'2024-04-05T18:47:41.107Z'
2024-04-05 14:47:45,203 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:47:47,131 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:47:47,132 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 14:47:47,163 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:47:47,163 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:47:48,046 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 14:47:48,278 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-03-06T18:47:41.115Z' STOP t'2024-04-05T18:47:41.115Z'
2024-04-05 14:47:48,325 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:47:50,384 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:50,386 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 14:47:50,638 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:50,639 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 14:47:50,842 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:50,842 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 14:47:51,092 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:51,094 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 14:47:51,263 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:51,264 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 14:47:51,408 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:51,408 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 617
2024-04-05 14:47:51,442 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 14:47:51,442 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:48:12,664 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:48:12,664 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:48:12,664 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "70782664a37c470090f722bb2245959d", "created": 1712342892657, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 14:54:21,182 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:54:21,182 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:54:21,183 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "8ef1ccd5b8a247edaad9db214bea6007", "created": 1712343257168, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 14:54:21,211 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:54:21,212 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:54:21,232 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:54:21,232 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:54:21,232 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:54:21,233 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-1ad2389e-6896-4410-8b6a-f013659eb6a1.
2024-04-05 14:54:21,985 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:54:23,945 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:54:23,945 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 14:54:23,970 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:54:23,971 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:54:24,980 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:54:24,991 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 14:54:25,299 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T18:54:21.904Z' STOP t'2024-04-05T18:54:21.904Z'
2024-04-05 14:54:25,351 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:54:27,227 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:54:27,227 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 14:54:27,251 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:54:27,251 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:54:27,786 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 14:54:28,011 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T18:54:21.904Z' STOP t'2024-04-05T18:54:21.904Z'
2024-04-05 14:54:28,047 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:54:29,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 14:54:29,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-05 14:54:29,895 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 14:54:29,895 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:54:31,540 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:54:34,865 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:54:34,866 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:54:34,866 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "8ef1ccd5b8a247edaad9db214bea6007", "created": 1712343274855, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "badidea.exe", "pid": 3096, "x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "cwd": null, "x_window_title": null, "binary_ref.name": "badidea.exe", "binary_ref.id": "file--6a71f773-5872-5930-8d53-a096a154b28f", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Users\\Public", "binary_ref.parent_directory_ref.id": "directory--9cbb5121-7a48-5719-8f2f-170809992f9b", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-05 14:56:17,384 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:56:17,384 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:56:17,384 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "81a30d7c9ceb47538f4173a9ba58a911", "created": 1712343373281, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 14:56:17,407 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:56:17,408 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:56:17,427 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:56:17,428 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:56:17,428 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:56:17,429 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-ebfd35a1-12aa-41be-840b-8b2deae1614a.
2024-04-05 14:56:18,211 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:56:20,079 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:56:20,080 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 14:56:20,113 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 14:56:20,113 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:56:21,768 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:56:21,778 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 14:56:22,038 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-03-06T18:56:18.141Z' STOP t'2024-04-05T18:56:18.141Z'
2024-04-05 14:56:22,075 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:56:23,924 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:56:23,924 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 14:56:23,953 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 14:56:23,954 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:56:25,510 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 14:56:25,759 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-03-06T18:56:18.141Z' STOP t'2024-04-05T18:56:18.141Z'
2024-04-05 14:56:25,795 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:56:27,681 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 14:56:27,681 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-05 14:56:27,717 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 14:56:27,717 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:56:29,259 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:56:29,275 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-05 14:56:29,580 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}')] START t'2024-03-06T18:56:18.143Z' STOP t'2024-04-05T18:56:18.143Z'
2024-04-05 14:56:29,621 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:56:31,549 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:56:31,549 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 14:56:31,574 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:56:31,574 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:56:33,094 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-05 14:56:33,390 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('cmd.exe','shutdown.exe','netsh.exe','conhost.exe')] START t'2024-03-06T18:55:41.097Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-05 14:56:33,445 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:56:35,285 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 14:56:35,286 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 55
2024-04-05 14:56:35,311 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 55, 'relation': 'eq'}
2024-04-05 14:56:35,311 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:56:38,957 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:56:38,957 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:56:38,957 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "81a30d7c9ceb47538f4173a9ba58a911", "created": 1712343398948, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "shutdown.exe", "id": "file--69aa4237-8e09-5842-bbba-456c3ad11bec", "hashes.'SHA-256'": "d4e68cc9cb1965d70134c68bd1a090e0afae5b8b3d8018c6b6564852ae7bf396", "hashes.MD5": "f2a4e18da72bb2c5b21076a5de382a20", "parent_directory_ref.path": "C:\\Windows\\System32", "parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "type": "file"}}}}}}
2024-04-05 14:59:34,816 - file - DEBUG - mqtt -- msg received ***
2024-04-05 14:59:34,816 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 14:59:34,816 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b17d2038194e461ea27e4402603865f4", "created": 1712343570777, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 14:59:34,835 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 14:59:34,836 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 14:59:34,862 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 14:59:34,862 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 14:59:34,863 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 14:59:34,863 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-d8ccc011-32a8-4c00-803e-07ccafa5165a.
2024-04-05 14:59:35,665 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 14:59:37,565 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:59:37,565 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 14:59:37,594 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 14:59:37,595 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 14:59:38,958 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 14:59:38,970 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 14:59:38,970 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 14:59:38,970 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b17d2038194e461ea27e4402603865f4", "created": 1712343578969, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 155, in process_oc2_msg\n    work_result = hunt_via_file_j2(hunt_path, hunt_args)\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 15:01:56,227 - file - DEBUG - mqtt -- msg received ***
2024-04-05 15:01:56,227 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 15:01:56,227 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a83c385c266e4b59bf6c3f1066944ef5", "created": 1712343712224, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 15:01:56,247 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 15:01:56,248 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 15:01:56,271 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 15:01:56,271 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 15:01:56,271 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 15:01:56,272 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-1aff2bc0-96ca-4237-8a41-2e75046e6a39.
2024-04-05 15:01:57,080 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 15:01:58,947 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 15:01:58,948 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 15:01:58,975 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 15:01:58,975 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 15:02:00,623 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 15:02:00,632 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 15:02:00,632 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 15:02:00,632 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a83c385c266e4b59bf6c3f1066944ef5", "created": 1712343720631, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 155, in process_oc2_msg\n    work_result = hunt_via_file_j2(hunt_path, hunt_args)\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 15:04:06,384 - file - DEBUG - mqtt -- msg received ***
2024-04-05 15:04:06,385 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 15:04:06,385 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c8dbaf44-8500-4e88-8090-5e632ba8cfe4", "from": "mqtt_tester-common.sl.cloud9.ibm.com-1712343845628", "to": "test_receiver", "created": 1712343845629}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 15:04:06,412 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 15:04:06,414 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 15:04:06,437 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 15:04:06,437 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 15:04:06,437 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 15:04:06,438 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-a535fd73-abc1-4e32-af78-5ca4be1f535e.
2024-04-05 15:04:07,170 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 15:04:09,095 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 15:04:09,096 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 6
2024-04-05 15:04:09,123 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 6, 'relation': 'eq'}
2024-04-05 15:04:09,124 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 15:04:10,734 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 15:04:10,777 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 15:04:10,777 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 15:04:10,777 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c8dbaf44-8500-4e88-8090-5e632ba8cfe4", "created": 1712343850774, "from": "oif-device-priapus-1712342761238"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 155, in process_oc2_msg\n    work_result = hunt_via_file_j2(hunt_path, hunt_args)\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 15:52:27,464 - file - DEBUG - Debug FILE -- App Started
2024-04-05 15:52:27,948 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 15:53:55,111 - file - DEBUG - Debug FILE -- App Started
2024-04-05 15:53:55,603 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 15:57:23,449 - file - DEBUG - mqtt -- msg received ***
2024-04-05 15:57:23,450 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 15:57:23,450 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "cd01d99a99ca48eeb0b4cb41657e0538", "created": 1712347042272, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-05 15:57:23,516 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 15:57:23,516 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 15:57:23,516 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "cd01d99a99ca48eeb0b4cb41657e0538", "created": 1712347043511, "from": "oif-device-priapus-1712346835074"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-05 16:04:34,025 - file - DEBUG - mqtt -- msg received ***
2024-04-05 16:04:34,026 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 16:04:34,026 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a032112640904ef0a5c56b938218bc8b", "created": 1712347470256, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 16:04:34,050 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 16:04:34,051 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 16:04:34,071 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 16:04:34,072 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 16:04:34,072 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 16:04:34,073 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-21cc9436-db51-4a1d-ba57-503f94f42688.
2024-04-05 16:04:35,452 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:04:37,591 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 16:04:37,592 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 10
2024-04-05 16:04:37,627 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10, 'relation': 'eq'}
2024-04-05 16:04:37,628 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:04:38,905 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:04:38,917 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 16:04:38,918 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 16:04:38,918 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a032112640904ef0a5c56b938218bc8b", "created": 1712347478917, "from": "oif-device-priapus-1712346835074"}, "body": {"openc2": {"response": {"status": 500, "results": "Error processing mqtt message: Traceback (most recent call last):\n  File \"/home/matt/workspace/openc2-oif-device/transports/mqtt.py\", line 96, in on_message\n    work_result = process_oc2_msg(msg_benedict)\n  File \"/home/matt/workspace/openc2-oif-device/oc2/message_manager.py\", line 154, in process_oc2_msg\n    work_result = hunt_via_file_j2(hunt_path, hunt_args)\n  File \"/home/matt/workspace/openc2-oif-device/hunts/py/find_data_via_huntflow_j2.py\", line 63, in hunt_via_file_j2\n    session.execute(huntflow)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 274, in execute\n    return self._execute_ast(ast)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/session.py\", line 412, in _execute_ast\n    semantics_processing(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/processor.py\", line 52, in semantics_processing\n    stmt[\"where\"].deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 132, in deref\n    self.timerange = self.graph.deref(deref_func, get_timerange_func)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/ecgpattern.py\", line 266, in deref\n    xs, tr = deref_and_flatten_value_to_list(\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/syntax/reference.py\", line 26, in deref_and_flatten_value_to_list\n    tr = get_timerange_func(value)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/kestrel/semantics/reference.py\", line 53, in get_timerange\n    summary = store.summary(entity_table)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/sqlstorage.py\", line 998, in summary\n    Table(viewname),\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/query.py\", line 319, in __init__\n    validate_name(name)\n  File \"/home/matt/.virtualenvs/openc2-oif-device/lib/python3.10/site-packages/firepit/validate.py\", line 16, in validate_name\n    raise InvalidViewname(name)\nfirepit.exceptions.InvalidViewname: None\n"}}}}
2024-04-05 16:07:05,137 - file - DEBUG - Debug FILE -- App Started
2024-04-05 16:07:05,810 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-05 16:08:40,425 - file - DEBUG - mqtt -- msg received ***
2024-04-05 16:08:40,425 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 16:08:40,425 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "9179bf75ed1849fd84c7d1511e9803b1", "created": 1712347716731, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-05 16:08:40,446 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 16:08:40,447 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 16:08:40,467 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 16:08:40,467 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 16:08:40,467 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 16:08:40,469 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-b84776aa-3a9e-4460-8fc3-fb274d84f8e5.
2024-04-05 16:08:41,723 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:08:43,730 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 16:08:43,730 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-05 16:08:43,766 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-05 16:08:43,767 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:08:44,783 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-05 16:08:45,087 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-06T20:08:41.566Z' STOP t'2024-04-05T20:08:41.566Z'
2024-04-05 16:08:45,135 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:08:47,097 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:08:47,098 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 16:08:47,126 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:08:47,126 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:08:48,498 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-05 16:08:48,773 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-06T20:08:41.574Z' STOP t'2024-04-05T20:08:41.574Z'
2024-04-05 16:08:48,822 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:08:50,904 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:50,905 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:51,167 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:51,168 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:51,353 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:51,354 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:51,577 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:51,578 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:51,745 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:51,746 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:51,979 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:51,980 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,127 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,128 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,310 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,311 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,490 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,492 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,725 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,725 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,891 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,892 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-05 16:08:52,938 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,938 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-05 16:08:52,971 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-05 16:08:52,971 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:09:32,069 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 16:09:32,069 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 16:09:32,069 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "9179bf75ed1849fd84c7d1511e9803b1", "created": 1712347772061, "from": "oif-device-priapus-1712347625116"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-05 16:11:00,748 - file - DEBUG - mqtt -- msg received ***
2024-04-05 16:11:00,748 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 16:11:00,748 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "5cdd0271d86c46249f57a311e56b5c7c", "created": 1712347857059, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 16:11:00,768 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 16:11:00,770 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 16:11:00,791 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 16:11:00,791 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 16:11:00,791 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 16:11:00,792 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-c23af21b-2bfd-47a6-8a80-96eb1f912afe.
2024-04-05 16:11:01,529 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:03,236 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:03,237 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 16:11:03,274 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:03,275 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:04,682 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:11:04,692 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 16:11:04,977 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-06T20:11:01.446Z' STOP t'2024-04-05T20:11:01.446Z'
2024-04-05 16:11:05,017 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:06,835 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 16:11:06,835 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 16:11:06,866 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 16:11:06,866 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:08,109 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 16:11:08,336 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-06T20:11:01.446Z' STOP t'2024-04-05T20:11:01.446Z'
2024-04-05 16:11:08,372 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:10,052 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-05 16:11:10,052 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-05 16:11:10,090 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-05 16:11:10,090 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:10,959 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-05 16:11:11,180 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-06T20:11:01.447Z' STOP t'2024-04-05T20:11:01.447Z'
2024-04-05 16:11:11,214 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:12,909 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 16:11:12,909 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-05 16:11:12,940 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 16:11:12,940 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:13,967 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-05 16:11:14,186 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-06T20:11:01.447Z' STOP t'2024-04-05T20:11:01.447Z'
2024-04-05 16:11:14,223 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:16,063 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:16,063 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 16:11:16,097 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:16,097 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:17,054 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 16:11:17,054 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 16:11:17,055 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "5cdd0271d86c46249f57a311e56b5c7c", "created": 1712347877043, "from": "oif-device-priapus-1712347625116"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-05 16:11:49,046 - file - DEBUG - mqtt -- msg received ***
2024-04-05 16:11:49,046 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 16:11:49,047 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c8a3454baaf444c9b2a341ce2795efb1", "created": 1712347905262, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 16:11:49,068 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 16:11:49,069 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 16:11:49,091 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 16:11:49,092 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 16:11:49,092 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 16:11:49,093 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-9ae2e023-da06-4c85-b3fb-8f68b4d17699.
2024-04-05 16:11:49,865 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:51,619 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:51,619 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 16:11:51,643 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:11:51,643 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:52,783 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:11:52,793 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-05 16:11:53,047 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-06T20:11:49.791Z' STOP t'2024-04-05T20:11:49.791Z'
2024-04-05 16:11:53,088 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:54,776 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 16:11:54,776 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-05 16:11:54,806 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-05 16:11:54,807 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:55,428 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-05 16:11:55,771 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-06T20:11:49.791Z' STOP t'2024-04-05T20:11:49.791Z'
2024-04-05 16:11:55,823 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:11:57,571 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-05 16:11:57,571 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-05 16:11:57,608 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-05 16:11:57,608 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:11:58,666 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-05 16:11:58,926 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-06T20:11:49.792Z' STOP t'2024-04-05T20:11:49.792Z'
2024-04-05 16:11:58,968 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:12:00,646 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 16:12:00,646 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-05 16:12:00,680 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-05 16:12:00,680 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:12:01,784 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-05 16:12:02,028 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-06T20:11:49.792Z' STOP t'2024-04-05T20:11:49.792Z'
2024-04-05 16:12:02,073 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:12:03,774 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:12:03,775 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-05 16:12:03,807 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-05 16:12:03,807 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:12:04,884 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-05 16:12:05,149 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}')] START t'2024-01-06T20:11:49.794Z' STOP t'2024-04-05T20:11:49.794Z'
2024-04-05 16:12:05,195 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:12:06,894 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 16:12:06,895 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-05 16:12:06,922 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 16:12:06,923 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:12:07,956 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-05 16:12:08,249 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('shutdown.exe','conhost.exe','cmd.exe','powershell.exe','netsh.exe','badidea.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-05 16:12:08,301 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:12:10,033 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-05 16:12:10,033 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-05 16:12:10,079 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-05 16:12:10,079 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:12:11,621 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 16:12:11,621 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 16:12:11,622 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c8a3454baaf444c9b2a341ce2795efb1", "created": 1712347931611, "from": "oif-device-priapus-1712347625116"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-05 16:12:54,397 - file - DEBUG - mqtt -- msg received ***
2024-04-05 16:12:54,397 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-05 16:12:54,397 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "94686d9ccf61430f955cf3ac8e439ca6", "created": 1712347970611, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-05 16:12:54,420 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-05 16:12:54,422 - kestrel.config - DEBUG - Loading default config file...
2024-04-05 16:12:54,447 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-05 16:12:54,447 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-05 16:12:54,447 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-05 16:12:54,448 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-298111e5-2e51-4183-a2e1-8eca8aaab327.
2024-04-05 16:12:55,264 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:12:56,971 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 16:12:56,971 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-05 16:12:57,005 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-05 16:12:57,005 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:12:58,443 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:12:58,454 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-05 16:12:58,454 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:12:58,512 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:13:00,253 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-05 16:13:00,254 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-05 16:13:00,292 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-05 16:13:00,293 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:13:01,709 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-05 16:13:01,709 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-05 16:13:01,718 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-05 16:13:02,018 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.14','172.16.1.13')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-05 16:13:02,059 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-05 16:13:03,774 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-05 16:13:03,775 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-05 16:13:03,811 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-05 16:13:03,811 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-05 16:13:04,421 - file - DEBUG - mqtt -- publishing msg ***
2024-04-05 16:13:04,421 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-05 16:13:04,421 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "94686d9ccf61430f955cf3ac8e439ca6", "created": 1712347984420, "from": "oif-device-priapus-1712347625116"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-08 09:56:32,884 - file - DEBUG - Debug FILE -- App Started
2024-04-08 09:56:33,726 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-08 09:57:48,722 - file - DEBUG - mqtt -- msg received ***
2024-04-08 09:57:48,722 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 09:57:48,722 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "698c0c3651c049bcb40403a002e17363", "created": 1712584667375, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 09:57:48,758 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 09:57:48,758 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 09:57:48,758 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "698c0c3651c049bcb40403a002e17363", "created": 1712584668755, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 09:58:15,863 - file - DEBUG - mqtt -- msg received ***
2024-04-08 09:58:15,863 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 09:58:15,863 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b62089c6953e47638411f7b577fdcf15", "created": 1712584694712, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-08 09:58:15,888 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 09:58:15,889 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 09:58:15,914 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 09:58:15,915 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 09:58:15,915 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 09:58:15,917 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-620100ac-421d-4381-866e-5f4448fd84c0.
2024-04-08 09:58:17,278 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 09:58:19,098 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-08 09:58:19,099 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-08 09:58:19,138 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-08 09:58:19,139 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 09:58:20,019 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-08 09:58:20,257 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-09T13:58:17.121Z' STOP t'2024-04-08T13:58:17.121Z'
2024-04-08 09:58:20,298 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 09:58:21,966 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 09:58:21,966 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 09:58:22,001 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 09:58:22,001 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 09:58:23,637 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-08 09:58:23,879 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-09T13:58:17.129Z' STOP t'2024-04-08T13:58:17.129Z'
2024-04-08 09:58:23,923 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 09:58:25,843 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:25,844 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:26,130 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:26,131 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:26,331 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:26,332 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:26,602 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:26,603 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:26,849 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:26,850 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:27,125 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:27,127 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:27,318 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:27,319 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:27,502 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:27,503 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:27,706 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:27,708 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:28,056 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:28,057 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:28,254 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:28,255 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 09:58:28,307 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:28,308 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-08 09:58:28,343 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 09:58:28,343 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 09:59:06,242 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 09:59:06,242 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 09:59:06,243 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b62089c6953e47638411f7b577fdcf15", "created": 1712584746236, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-08 10:01:27,911 - file - DEBUG - mqtt -- msg received ***
2024-04-08 10:01:27,911 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 10:01:27,911 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a0348fcd34834c4b9e091ad3cda45aed", "created": 1712584886719, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 10:01:27,933 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 10:01:27,934 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 10:01:27,956 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 10:01:27,956 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 10:01:27,956 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 10:01:27,957 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-4a3acd35-f5e4-40a8-ac8e-51ff579fe141.
2024-04-08 10:01:28,735 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:01:30,409 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:01:30,410 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 10:01:30,436 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:01:30,437 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:01:32,142 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 10:01:32,157 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 10:01:32,401 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T14:01:28.653Z' STOP t'2024-04-08T14:01:28.653Z'
2024-04-08 10:01:32,440 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:01:34,181 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 10:01:34,182 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 10:01:34,225 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 10:01:34,226 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:01:35,797 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 10:01:36,016 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T14:01:28.653Z' STOP t'2024-04-08T14:01:28.653Z'
2024-04-08 10:01:36,064 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:01:37,747 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 10:01:37,747 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 10:01:37,794 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 10:01:37,795 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:01:38,856 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 10:01:39,161 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T14:01:28.653Z' STOP t'2024-04-08T14:01:28.653Z'
2024-04-08 10:01:39,195 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:01:40,852 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 10:01:40,853 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 10:01:40,881 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 10:01:40,881 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:01:41,963 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 10:01:42,203 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T14:01:28.653Z' STOP t'2024-04-08T14:01:28.653Z'
2024-04-08 10:01:42,240 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:01:43,965 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:01:43,966 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 10:01:44,002 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:01:44,002 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:01:45,337 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 10:01:45,338 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 10:01:45,338 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a0348fcd34834c4b9e091ad3cda45aed", "created": 1712584905329, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-08 10:02:18,725 - file - DEBUG - mqtt -- msg received ***
2024-04-08 10:02:18,725 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 10:02:18,725 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b86349959ee54c2095f4996a7a83fc5f", "created": 1712584937571, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 10:02:18,747 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 10:02:18,748 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 10:02:18,771 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 10:02:18,772 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 10:02:18,772 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 10:02:18,773 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-8b1d3f2c-b3f6-411d-8e91-4815bea135f2.
2024-04-08 10:02:19,607 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:21,326 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:02:21,326 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 10:02:21,354 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:02:21,354 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:22,018 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 10:02:22,029 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 10:02:22,248 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T14:02:19.533Z' STOP t'2024-04-08T14:02:19.533Z'
2024-04-08 10:02:22,285 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:23,956 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 10:02:23,956 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 10:02:23,994 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 10:02:23,994 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:25,031 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 10:02:25,321 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T14:02:19.534Z' STOP t'2024-04-08T14:02:19.534Z'
2024-04-08 10:02:25,356 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:26,996 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 10:02:26,997 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 10:02:27,029 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 10:02:27,029 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:28,367 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 10:02:28,600 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T14:02:19.534Z' STOP t'2024-04-08T14:02:19.534Z'
2024-04-08 10:02:28,637 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:30,301 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 10:02:30,302 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 10:02:30,326 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 10:02:30,327 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:31,677 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 10:02:31,908 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T14:02:19.534Z' STOP t'2024-04-08T14:02:19.534Z'
2024-04-08 10:02:31,951 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:33,609 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:02:33,609 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 10:02:33,639 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 10:02:33,639 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:34,550 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-08 10:02:34,772 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}')] START t'2024-01-09T14:02:19.536Z' STOP t'2024-04-08T14:02:19.536Z'
2024-04-08 10:02:34,819 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:36,496 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 10:02:36,497 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 10:02:36,528 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 10:02:36,528 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:37,868 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-08 10:02:38,149 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('badidea.exe','conhost.exe','cmd.exe','powershell.exe','shutdown.exe','netsh.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-08 10:02:38,191 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:02:39,947 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 10:02:39,948 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-08 10:02:39,998 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 10:02:39,999 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:02:40,825 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 10:02:40,825 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 10:02:40,825 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b86349959ee54c2095f4996a7a83fc5f", "created": 1712584960815, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-08 10:03:23,018 - file - DEBUG - mqtt -- msg received ***
2024-04-08 10:03:23,018 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 10:03:23,019 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "37709b8681a84de790023732e541af32", "created": 1712585001831, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 10:03:23,039 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 10:03:23,040 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 10:03:23,060 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 10:03:23,060 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 10:03:23,061 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 10:03:23,061 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-c12eb153-4a2d-4b29-99a0-8885caca584a.
2024-04-08 10:03:23,812 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:03:25,473 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 10:03:25,473 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 10:03:25,499 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 10:03:25,499 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:03:26,505 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 10:03:26,516 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-08 10:03:26,517 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 10:03:26,570 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:03:28,240 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-08 10:03:28,240 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-08 10:03:28,355 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-08 10:03:28,356 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:03:29,365 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-08 10:03:29,365 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 10:03:29,373 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-08 10:03:29,647 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.13','172.16.1.14')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-08 10:03:29,686 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 10:03:31,320 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-08 10:03:31,320 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-08 10:03:31,346 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-08 10:03:31,346 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 10:03:32,742 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 10:03:32,743 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 10:03:32,743 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "37709b8681a84de790023732e541af32", "created": 1712585012742, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-08 10:54:05,056 - file - DEBUG - mqtt -- msg received ***
2024-04-08 10:54:05,059 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 10:54:05,059 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "5a3491acbce14b82be45371991b7ed9b", "created": 1712588043775, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 10:54:05,097 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 10:54:05,097 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 10:54:05,098 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "5a3491acbce14b82be45371991b7ed9b", "created": 1712588045096, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 10:55:47,961 - file - DEBUG - mqtt -- msg received ***
2024-04-08 10:55:47,961 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 10:55:47,962 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "aeee018bbf0f441b991db724b78f043b", "created": 1712588146824, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 10:55:47,987 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 10:55:47,987 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 10:55:47,988 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "aeee018bbf0f441b991db724b78f043b", "created": 1712588147986, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 11:33:13,779 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:33:13,783 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:33:13,783 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "fe7b85767659495a9bd4c8c63e7d6948", "created": 1712590392525, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 11:33:13,889 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:33:13,890 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:33:13,890 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "fe7b85767659495a9bd4c8c63e7d6948", "created": 1712590393888, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 11:40:40,810 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:40:40,810 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:40:40,810 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1bbf32180b944c52bc8187f10379fd0f", "created": 1712590839557, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-08 11:40:40,831 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:40:40,832 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:40:40,856 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:40:40,856 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:40:40,857 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:40:40,857 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-f26b18d0-18da-4335-aee1-8e004f0a9f56.
2024-04-08 11:40:41,939 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:40:43,936 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-08 11:40:43,938 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-08 11:40:43,986 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-08 11:40:43,987 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:40:45,276 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-08 11:40:45,721 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-09T15:40:41.868Z' STOP t'2024-04-08T15:40:41.868Z'
2024-04-08 11:40:45,770 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:40:47,646 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:40:47,647 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:40:47,691 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:40:47,691 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:40:48,614 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-08 11:40:48,909 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-09T15:40:41.869Z' STOP t'2024-04-08T15:40:41.869Z'
2024-04-08 11:40:48,955 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:40:50,922 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:50,923 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:51,255 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:51,256 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:51,480 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:51,481 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:51,681 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:51,682 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:51,864 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:51,865 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:52,138 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:52,138 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:52,338 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:52,339 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:52,551 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:52,552 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:52,748 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:52,749 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:53,112 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:53,113 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:53,299 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:53,300 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-08 11:40:53,347 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:53,348 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-08 11:40:53,377 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-08 11:40:53,377 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:41:45,194 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:41:45,194 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:41:45,194 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1bbf32180b944c52bc8187f10379fd0f", "created": 1712590905187, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-08 11:46:41,145 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:46:41,145 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:46:41,145 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "bd784d44791f4e2ca4dc991ba2b50f94", "created": 1712591199926, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 11:46:41,168 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:46:41,169 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:46:41,192 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:46:41,192 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:46:41,192 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:46:41,193 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-77a8d461-07b6-4778-acd6-c473a8fa5ae5.
2024-04-08 11:46:42,174 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:46:43,977 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:46:43,978 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:46:44,007 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:46:44,007 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:46:45,070 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:46:45,081 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 11:46:45,343 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T15:46:42.083Z' STOP t'2024-04-08T15:46:42.083Z'
2024-04-08 11:46:45,382 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:46:47,138 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:46:47,139 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 11:46:47,169 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:46:47,169 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:46:48,193 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 11:46:48,492 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T15:46:42.083Z' STOP t'2024-04-08T15:46:42.083Z'
2024-04-08 11:46:48,533 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:46:50,351 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:46:50,351 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 11:46:50,377 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:46:50,378 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:46:51,997 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 11:46:52,277 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T15:46:42.084Z' STOP t'2024-04-08T15:46:42.084Z'
2024-04-08 11:46:52,318 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:46:54,014 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:46:54,015 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 11:46:54,039 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:46:54,040 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:46:54,612 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 11:46:54,859 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T15:46:42.084Z' STOP t'2024-04-08T15:46:42.084Z'
2024-04-08 11:46:54,895 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:46:56,628 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:46:56,628 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:46:56,661 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:46:56,661 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:46:57,790 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:46:57,791 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:46:57,791 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "bd784d44791f4e2ca4dc991ba2b50f94", "created": 1712591217780, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-08 11:49:18,978 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:49:18,978 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:49:18,979 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "975f6b542e3341ab8f13ad2f39b690dd", "created": 1712591357728, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 11:49:19,009 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:49:19,010 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:49:19,032 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:49:19,032 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:49:19,033 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:49:19,033 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-bde17c8a-f7f3-407e-a44d-ada07a9580d9.
2024-04-08 11:49:20,213 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:22,041 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:49:22,042 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:49:22,079 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:49:22,080 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:23,075 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:49:23,087 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 11:49:23,375 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T15:49:20.105Z' STOP t'2024-04-08T15:49:20.105Z'
2024-04-08 11:49:23,420 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:25,287 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:49:25,288 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 11:49:25,319 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:49:25,320 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:26,209 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 11:49:26,508 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T15:49:20.106Z' STOP t'2024-04-08T15:49:20.106Z'
2024-04-08 11:49:26,559 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:28,440 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:49:28,440 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 11:49:28,472 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:49:28,472 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:28,899 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 11:49:29,292 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T15:49:20.106Z' STOP t'2024-04-08T15:49:20.106Z'
2024-04-08 11:49:29,339 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:31,163 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:49:31,164 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 11:49:31,192 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:49:31,193 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:32,203 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 11:49:32,525 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T15:49:20.106Z' STOP t'2024-04-08T15:49:20.106Z'
2024-04-08 11:49:32,575 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:34,403 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:49:34,404 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:49:34,435 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:49:34,435 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:34,914 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-08 11:49:35,212 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}')] START t'2024-01-09T15:49:20.109Z' STOP t'2024-04-08T15:49:20.109Z'
2024-04-08 11:49:35,269 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:37,069 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:49:37,070 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 11:49:37,103 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:49:37,104 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:38,135 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-08 11:49:38,407 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('badidea.exe','conhost.exe','cmd.exe','powershell.exe','shutdown.exe','netsh.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-08 11:49:38,455 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:49:40,429 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:49:40,430 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-08 11:49:40,463 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:49:40,463 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:49:41,852 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:49:41,853 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:49:41,853 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "975f6b542e3341ab8f13ad2f39b690dd", "created": 1712591381839, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-08 11:53:55,896 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:53:55,896 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:53:55,897 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c81cbb90a2ad4410a2bfd4853211be02", "created": 1712591634661, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 11:53:55,921 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:53:55,923 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:53:55,948 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:53:55,948 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:53:55,948 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:53:55,949 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-08f84c15-7038-481f-b9a5-2e12e2f7c8fe.
2024-04-08 11:53:57,079 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:53:58,907 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:53:58,908 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:53:58,947 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:53:58,947 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:53:59,965 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:53:59,976 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 11:54:00,294 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T15:53:56.978Z' STOP t'2024-04-08T15:53:56.978Z'
2024-04-08 11:54:00,343 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:02,194 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:54:02,195 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 11:54:02,225 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:54:02,225 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:02,710 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 11:54:03,100 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T15:53:56.978Z' STOP t'2024-04-08T15:53:56.978Z'
2024-04-08 11:54:03,146 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:04,984 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:54:04,985 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 11:54:05,018 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:54:05,018 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:06,283 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 11:54:06,612 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T15:53:56.979Z' STOP t'2024-04-08T15:53:56.979Z'
2024-04-08 11:54:06,661 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:08,547 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:54:08,548 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 11:54:08,587 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:54:08,588 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:09,614 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 11:54:09,925 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T15:53:56.979Z' STOP t'2024-04-08T15:53:56.979Z'
2024-04-08 11:54:09,966 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:11,804 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:54:11,805 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:54:11,836 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:54:11,837 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:13,347 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-08 11:54:13,675 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}')] START t'2024-01-09T15:53:56.981Z' STOP t'2024-04-08T15:53:56.981Z'
2024-04-08 11:54:13,731 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:15,593 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:54:15,594 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 11:54:15,632 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:54:15,632 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:16,607 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-08 11:54:17,006 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('badidea.exe','conhost.exe','cmd.exe','powershell.exe','shutdown.exe','netsh.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-08 11:54:17,051 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:54:18,899 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:54:18,899 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-08 11:54:18,935 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:54:18,936 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:54:20,362 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:54:20,362 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:54:20,362 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c81cbb90a2ad4410a2bfd4853211be02", "created": 1712591660351, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-08 11:56:08,797 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:56:08,797 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:56:08,797 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "8e6e36a0f96e457f89c307186f1fe57b", "created": 1712591767577, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 11:56:08,824 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:56:08,825 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:56:08,849 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:56:08,849 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:56:08,850 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:56:08,851 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-75e91dda-ab8e-4c3e-92a9-2b56b05a4685.
2024-04-08 11:56:10,043 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:11,878 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:56:11,878 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:56:11,914 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:56:11,914 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:13,517 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:56:13,529 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-08 11:56:13,927 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-09T15:56:09.928Z' STOP t'2024-04-08T15:56:09.928Z'
2024-04-08 11:56:13,969 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:15,831 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:56:15,831 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-08 11:56:15,874 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-08 11:56:15,875 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:17,129 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-08 11:56:17,465 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-09T15:56:09.929Z' STOP t'2024-04-08T15:56:09.929Z'
2024-04-08 11:56:17,514 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:19,343 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:56:19,344 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-08 11:56:19,381 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-08 11:56:19,381 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:19,889 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-08 11:56:20,202 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-09T15:56:09.929Z' STOP t'2024-04-08T15:56:09.929Z'
2024-04-08 11:56:20,248 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:22,192 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:56:22,192 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-08 11:56:22,227 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-08 11:56:22,228 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:23,498 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-08 11:56:23,806 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-09T15:56:09.930Z' STOP t'2024-04-08T15:56:09.930Z'
2024-04-08 11:56:23,860 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:25,703 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:56:25,704 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-08 11:56:25,732 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-08 11:56:25,732 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:26,744 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-08 11:56:27,163 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}')] START t'2024-01-09T15:56:09.932Z' STOP t'2024-04-08T15:56:09.932Z'
2024-04-08 11:56:27,216 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:29,032 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:56:29,033 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 11:56:29,066 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:56:29,067 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:30,015 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-08 11:56:30,326 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('badidea.exe','conhost.exe','cmd.exe','powershell.exe','shutdown.exe','netsh.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-08 11:56:30,384 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:56:32,250 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:56:32,251 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-08 11:56:32,283 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-08 11:56:32,283 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:56:33,427 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:56:33,428 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:56:33,428 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "8e6e36a0f96e457f89c307186f1fe57b", "created": 1712591793405, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-08 11:58:10,140 - file - DEBUG - mqtt -- msg received ***
2024-04-08 11:58:10,140 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 11:58:10,141 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e099be8cc6ee4182967428d500173cf1", "created": 1712591888925, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-08 11:58:10,167 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-08 11:58:10,169 - kestrel.config - DEBUG - Loading default config file...
2024-04-08 11:58:10,194 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-08 11:58:10,194 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-08 11:58:10,194 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-08 11:58:10,195 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-ee51a33a-ac16-4489-abc0-48734045c9ad.
2024-04-08 11:58:11,320 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:58:13,243 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:58:13,244 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-08 11:58:13,276 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-08 11:58:13,277 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:58:14,656 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:58:14,670 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-08 11:58:14,670 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:58:14,725 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:58:16,570 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-08 11:58:16,570 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-08 11:58:16,627 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-08 11:58:16,628 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:58:17,646 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-08 11:58:17,647 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-08 11:58:17,656 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-08 11:58:17,975 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.13','172.16.1.14')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-08 11:58:18,027 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-08 11:58:19,856 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-08 11:58:19,856 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-08 11:58:19,890 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-08 11:58:19,890 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-08 11:58:21,188 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 11:58:21,188 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 11:58:21,188 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e099be8cc6ee4182967428d500173cf1", "created": 1712591901187, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-08 13:17:04,135 - file - DEBUG - mqtt -- msg received ***
2024-04-08 13:17:04,135 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 13:17:04,136 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "5af24b982bf24036a0e948c73c6fe824", "created": 1712596623011, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 13:17:04,164 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 13:17:04,165 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 13:17:04,165 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "5af24b982bf24036a0e948c73c6fe824", "created": 1712596624163, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 13:51:32,416 - file - DEBUG - mqtt -- msg received ***
2024-04-08 13:51:32,416 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 13:51:32,416 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "f63670dfcaae48f096cc8078dbda6790", "created": 1712598691192, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 13:51:32,445 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 13:51:32,445 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 13:51:32,445 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "f63670dfcaae48f096cc8078dbda6790", "created": 1712598692443, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 14:01:38,740 - file - DEBUG - mqtt -- msg received ***
2024-04-08 14:01:38,743 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 14:01:38,743 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "8152a52d1fb442bca0dc5b92e194d1a7", "created": 1712599297604, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 14:01:38,813 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 14:01:38,813 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 14:01:38,814 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "8152a52d1fb442bca0dc5b92e194d1a7", "created": 1712599298812, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:30:02,615 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:30:02,615 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:30:02,615 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "6bc00a81e009412eba52633bcd09b82e", "created": 1712608200955, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:30:02,641 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:30:02,641 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:30:02,641 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "6bc00a81e009412eba52633bcd09b82e", "created": 1712608202640, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:31:44,094 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:31:44,094 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:31:44,095 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "7b06a85536d046e78000b690f0025792", "created": 1712608302373, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:31:44,117 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:31:44,117 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:31:44,117 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "7b06a85536d046e78000b690f0025792", "created": 1712608304116, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:33:06,425 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:33:06,425 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:33:06,425 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c7d377a8d422459dbd25fcdf3d91fb8f", "created": 1712608384714, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:33:06,450 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:33:06,450 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:33:06,450 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c7d377a8d422459dbd25fcdf3d91fb8f", "created": 1712608386449, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:49:15,139 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:49:15,139 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:49:15,139 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "06dd8355e0a9486893b0fae84c795176", "created": 1712609353872, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:49:15,162 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:49:15,162 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:49:15,162 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "06dd8355e0a9486893b0fae84c795176", "created": 1712609355161, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:57:15,302 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:57:15,302 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:57:15,302 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1ecdd11b1f9c453aa41a681585228e66", "created": 1712609834097, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:57:15,324 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:57:15,324 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:57:15,324 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1ecdd11b1f9c453aa41a681585228e66", "created": 1712609835323, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:58:57,906 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:58:57,906 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:58:57,906 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "15778fafadb94430951ad23ef7c3a014", "created": 1712609936735, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:58:57,928 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:58:57,928 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:58:57,928 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "15778fafadb94430951ad23ef7c3a014", "created": 1712609937927, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 16:59:56,784 - file - DEBUG - mqtt -- msg received ***
2024-04-08 16:59:56,784 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 16:59:56,784 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "7518a9f8b6cf417c8e5f9a2a283af083", "created": 1712609995571, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 16:59:56,808 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 16:59:56,808 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 16:59:56,808 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "7518a9f8b6cf417c8e5f9a2a283af083", "created": 1712609996807, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 17:01:45,329 - file - DEBUG - mqtt -- msg received ***
2024-04-08 17:01:45,329 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 17:01:45,330 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "31602f84d3b0434dabfad66ec30f33d0", "created": 1712610104146, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 17:01:45,351 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 17:01:45,351 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 17:01:45,351 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "31602f84d3b0434dabfad66ec30f33d0", "created": 1712610105350, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-08 17:02:03,250 - file - DEBUG - mqtt -- msg received ***
2024-04-08 17:02:03,250 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-08 17:02:03,251 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b9dc569a6ece40e08b56ef11e1bf0179", "created": 1712610122019, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-08 17:02:03,271 - file - DEBUG - mqtt -- publishing msg ***
2024-04-08 17:02:03,272 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-08 17:02:03,272 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b9dc569a6ece40e08b56ef11e1bf0179", "created": 1712610123270, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 11:11:53,596 - file - DEBUG - mqtt -- msg received ***
2024-04-09 11:11:53,599 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 11:11:53,600 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "dfe98821054c4db6a6ffaffbc96143ea", "created": 1712675512205, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-09 11:11:53,694 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 11:11:53,694 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 11:11:53,694 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "dfe98821054c4db6a6ffaffbc96143ea", "created": 1712675513693, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 11:31:47,387 - file - DEBUG - mqtt -- msg received ***
2024-04-09 11:31:47,388 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 11:31:47,388 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b00ed20fcc774a93a44b05b236ca7701", "created": 1712676706178, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-09 11:31:47,425 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 11:31:47,425 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 11:31:47,425 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b00ed20fcc774a93a44b05b236ca7701", "created": 1712676707424, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 11:42:18,785 - file - DEBUG - mqtt -- msg received ***
2024-04-09 11:42:18,785 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 11:42:18,785 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "fa94cf5e8a6942deae3aec624dafe46a", "created": 1712677337522, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-09 11:42:18,809 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 11:42:18,809 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 11:42:18,809 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "fa94cf5e8a6942deae3aec624dafe46a", "created": 1712677338807, "from": "oif-device-priapus-1712584592864"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 13:25:51,004 - file - DEBUG - Debug FILE -- App Started
2024-04-09 13:25:51,729 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-09 13:57:52,206 - file - DEBUG - mqtt -- msg received ***
2024-04-09 13:57:52,206 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 13:57:52,206 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "994e1f7678fa48878bf4cfdfad6bf8a5", "created": 1712685471009, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-09 13:57:52,247 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 13:57:52,247 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 13:57:52,247 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "994e1f7678fa48878bf4cfdfad6bf8a5", "created": 1712685472243, "from": "oif-device-priapus-1712683550979"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 14:00:22,580 - file - DEBUG - Debug FILE -- App Started
2024-04-09 14:00:23,139 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-09 14:03:30,315 - file - DEBUG - mqtt -- msg received ***
2024-04-09 14:03:30,315 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 14:03:30,316 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "cf9885d1c2234387ac498199f0b9ae24", "created": 1712685808461, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-09 14:03:30,358 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 14:03:30,358 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 14:03:30,358 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "cf9885d1c2234387ac498199f0b9ae24", "created": 1712685810352, "from": "oif-device-priapus-1712685622546"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-09 14:04:38,057 - file - DEBUG - mqtt -- msg received ***
2024-04-09 14:04:38,057 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 14:04:38,057 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "51665a047dde4c63a3c975f3a8e0b884", "created": 1712685876774, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-09 14:04:38,094 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-09 14:04:38,096 - kestrel.config - DEBUG - Loading default config file...
2024-04-09 14:04:38,135 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-09 14:04:38,135 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-09 14:04:38,135 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-09 14:04:38,137 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-84946836-d976-414a-99fb-f602f78f4275.
2024-04-09 14:04:40,021 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:04:41,979 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-09 14:04:41,980 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-09 14:04:42,020 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-09 14:04:42,020 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:04:43,357 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-09 14:04:43,672 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-10T18:04:39.785Z' STOP t'2024-04-09T18:04:39.785Z'
2024-04-09 14:04:43,729 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:04:45,560 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:04:45,560 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-09 14:04:45,590 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:04:45,591 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:04:47,119 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-09 14:04:47,431 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-10T18:04:39.795Z' STOP t'2024-04-09T18:04:39.795Z'
2024-04-09 14:04:47,488 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:04:49,404 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:49,406 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:49,719 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:49,720 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:49,967 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:49,968 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:50,196 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:50,197 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:50,435 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:50,437 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:50,735 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:50,736 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:50,912 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:50,913 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:51,093 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,094 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:51,320 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,322 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:51,609 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,610 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:51,824 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,825 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-09 14:04:51,870 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,871 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-09 14:04:51,912 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-09 14:04:51,912 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:05:36,517 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 14:05:36,517 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 14:05:36,517 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "51665a047dde4c63a3c975f3a8e0b884", "created": 1712685936508, "from": "oif-device-priapus-1712685622546"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-09 14:06:46,750 - file - DEBUG - mqtt -- msg received ***
2024-04-09 14:06:46,750 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 14:06:46,750 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "05b8944af6ed46469b51bb61e74bcaeb", "created": 1712686005503, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-09 14:06:46,779 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-09 14:06:46,781 - kestrel.config - DEBUG - Loading default config file...
2024-04-09 14:06:46,821 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-09 14:06:46,822 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-09 14:06:46,822 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-09 14:06:46,823 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-3fee8243-8e62-4b7d-849b-1e3189b0413c.
2024-04-09 14:06:47,971 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:06:49,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:06:49,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-09 14:06:49,910 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:06:49,911 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:06:50,479 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-09 14:06:50,491 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-09 14:06:50,817 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-10T18:06:47.837Z' STOP t'2024-04-09T18:06:47.837Z'
2024-04-09 14:06:50,904 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:06:52,850 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-09 14:06:52,851 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-09 14:06:52,897 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-09 14:06:52,898 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:06:53,667 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-09 14:06:53,990 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-10T18:06:47.838Z' STOP t'2024-04-09T18:06:47.838Z'
2024-04-09 14:06:54,041 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:06:55,877 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-09 14:06:55,878 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-09 14:06:55,916 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-09 14:06:55,916 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:06:56,827 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-09 14:06:57,162 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-10T18:06:47.838Z' STOP t'2024-04-09T18:06:47.838Z'
2024-04-09 14:06:57,208 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:06:59,148 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-09 14:06:59,148 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-09 14:06:59,183 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-09 14:06:59,184 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:07:00,300 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-09 14:07:00,608 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-10T18:06:47.838Z' STOP t'2024-04-09T18:06:47.838Z'
2024-04-09 14:07:00,664 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:07:02,578 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:07:02,579 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-09 14:07:02,613 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-09 14:07:02,614 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:07:03,128 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 14:07:03,128 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 14:07:03,128 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "05b8944af6ed46469b51bb61e74bcaeb", "created": 1712686023117, "from": "oif-device-priapus-1712685622546"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-09 14:08:17,243 - file - DEBUG - mqtt -- msg received ***
2024-04-09 14:08:17,243 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-09 14:08:17,244 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0262884014b8417e893bc1c5446484ef", "created": 1712686095993, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-09 14:08:17,272 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-09 14:08:17,273 - kestrel.config - DEBUG - Loading default config file...
2024-04-09 14:08:17,297 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-09 14:08:17,298 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-09 14:08:17,298 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-09 14:08:17,299 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-35e9056f-4063-4c81-a3b0-6f0077c8c46c.
2024-04-09 14:08:18,345 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:08:20,137 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-09 14:08:20,138 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-09 14:08:20,176 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-09 14:08:20,176 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:08:21,306 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-09 14:08:21,316 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-09 14:08:21,317 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-09 14:08:21,407 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:08:23,213 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-09 14:08:23,214 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-09 14:08:23,248 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-09 14:08:23,248 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:08:23,887 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-09 14:08:23,887 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-09 14:08:23,896 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-09 14:08:24,185 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.14','172.16.1.13')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-09 14:08:24,237 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-09 14:08:26,075 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-09 14:08:26,076 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-09 14:08:26,109 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-09 14:08:26,109 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-09 14:08:27,059 - file - DEBUG - mqtt -- publishing msg ***
2024-04-09 14:08:27,059 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-09 14:08:27,059 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0262884014b8417e893bc1c5446484ef", "created": 1712686107058, "from": "oif-device-priapus-1712685622546"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-10 09:55:43,339 - file - DEBUG - Debug FILE -- App Started
2024-04-10 09:55:44,099 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-10 13:11:33,969 - file - DEBUG - Debug FILE -- App Started
2024-04-10 13:11:34,708 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-10 13:12:00,779 - file - DEBUG - mqtt -- msg received ***
2024-04-10 13:12:00,779 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-10 13:12:00,779 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "b828b5a82678436fb6664208a80a326c", "created": 1712769119633, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-10 13:12:00,881 - file - DEBUG - mqtt -- publishing msg ***
2024-04-10 13:12:00,881 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-10 13:12:00,881 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "b828b5a82678436fb6664208a80a326c", "created": 1712769120878, "from": "oif-device-priapus-1712769093949"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-10 13:12:28,636 - file - DEBUG - mqtt -- msg received ***
2024-04-10 13:12:28,636 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-10 13:12:28,636 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0a3addd6a05e4326b3743e4fce28bb3c", "created": 1712769147440, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-10 13:12:28,657 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-10 13:12:28,658 - kestrel.config - DEBUG - Loading default config file...
2024-04-10 13:12:28,678 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-10 13:12:28,679 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-10 13:12:28,679 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-10 13:12:28,680 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-37ed9d65-a1c3-419a-a0f3-c1539764d22b.
2024-04-10 13:12:30,102 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:12:31,966 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-10 13:12:31,966 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-10 13:12:32,004 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-10 13:12:32,004 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:12:33,004 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-10 13:12:33,232 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-11T17:12:29.918Z' STOP t'2024-04-10T17:12:29.918Z'
2024-04-10 13:12:33,271 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:12:34,958 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:12:34,959 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-10 13:12:34,984 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:12:34,984 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:12:36,010 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-10 13:12:36,229 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-11T17:12:29.928Z' STOP t'2024-04-10T17:12:29.928Z'
2024-04-10 13:12:36,270 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:12:38,034 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:38,035 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:38,277 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:38,278 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:38,458 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:38,459 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:38,616 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:38,616 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:38,793 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:38,794 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,026 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,027 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,203 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,203 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,359 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,360 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,543 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,544 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,815 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,816 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:39,989 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:39,990 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-10 13:12:40,027 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:40,027 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-10 13:12:40,060 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-10 13:12:40,060 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:13:13,944 - file - DEBUG - mqtt -- publishing msg ***
2024-04-10 13:13:13,944 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-10 13:13:13,944 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0a3addd6a05e4326b3743e4fce28bb3c", "created": 1712769193938, "from": "oif-device-priapus-1712769093949"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-10 13:13:50,649 - file - DEBUG - mqtt -- msg received ***
2024-04-10 13:13:50,649 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-10 13:13:50,649 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "eea2f76898d34c88b6d880075bb13bea", "created": 1712769229489, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-10 13:13:50,672 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-10 13:13:50,673 - kestrel.config - DEBUG - Loading default config file...
2024-04-10 13:13:50,693 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-10 13:13:50,693 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-10 13:13:50,693 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-10 13:13:50,694 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-04645fe7-ad38-4eb3-9969-c68dcd6f6927.
2024-04-10 13:13:51,447 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:13:53,143 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:13:53,144 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-10 13:13:53,184 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:13:53,185 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:13:54,335 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-10 13:13:54,344 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-10 13:13:54,557 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-11T17:13:51.358Z' STOP t'2024-04-10T17:13:51.358Z'
2024-04-10 13:13:54,592 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:13:56,336 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-10 13:13:56,337 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-10 13:13:56,363 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-10 13:13:56,363 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:13:57,963 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-10 13:13:58,184 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-11T17:13:51.359Z' STOP t'2024-04-10T17:13:51.359Z'
2024-04-10 13:13:58,218 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:13:59,862 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-10 13:13:59,862 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-10 13:13:59,893 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-10 13:13:59,894 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:00,952 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-10 13:14:01,170 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-11T17:13:51.359Z' STOP t'2024-04-10T17:13:51.359Z'
2024-04-10 13:14:01,205 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:02,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-10 13:14:02,869 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-10 13:14:02,899 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-10 13:14:02,899 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:03,985 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-10 13:14:04,198 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-11T17:13:51.359Z' STOP t'2024-04-10T17:13:51.359Z'
2024-04-10 13:14:04,232 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:05,901 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:05,902 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-10 13:14:05,930 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:05,930 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:07,023 - file - DEBUG - mqtt -- publishing msg ***
2024-04-10 13:14:07,024 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-10 13:14:07,024 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "eea2f76898d34c88b6d880075bb13bea", "created": 1712769247015, "from": "oif-device-priapus-1712769093949"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-10 13:14:31,405 - file - DEBUG - mqtt -- msg received ***
2024-04-10 13:14:31,405 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-10 13:14:31,406 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "968f0f17b9894b7cae2f86dc337b8891", "created": 1712769270134, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-10 13:14:31,430 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-10 13:14:31,431 - kestrel.config - DEBUG - Loading default config file...
2024-04-10 13:14:31,451 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-10 13:14:31,451 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-10 13:14:31,451 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-10 13:14:31,452 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-4b2f4744-3466-4b56-8eb4-c980cdfccd9a.
2024-04-10 13:14:32,227 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:33,900 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:33,900 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-10 13:14:33,929 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:33,929 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:35,350 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-10 13:14:35,361 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-10 13:14:35,600 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-11T17:14:32.151Z' STOP t'2024-04-10T17:14:32.151Z'
2024-04-10 13:14:35,636 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:37,301 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-10 13:14:37,301 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-10 13:14:37,331 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-10 13:14:37,332 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:38,962 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-10 13:14:39,233 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-11T17:14:32.152Z' STOP t'2024-04-10T17:14:32.152Z'
2024-04-10 13:14:39,267 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:40,932 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-10 13:14:40,933 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-10 13:14:40,964 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-10 13:14:40,965 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:42,316 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-10 13:14:42,562 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-11T17:14:32.152Z' STOP t'2024-04-10T17:14:32.152Z'
2024-04-10 13:14:42,597 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:44,244 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-10 13:14:44,245 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-10 13:14:44,272 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-10 13:14:44,272 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:45,380 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-10 13:14:45,712 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-11T17:14:32.152Z' STOP t'2024-04-10T17:14:32.152Z'
2024-04-10 13:14:45,763 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:47,515 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:47,516 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-10 13:14:47,550 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-10 13:14:47,551 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:48,554 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-10 13:14:48,796 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}')] START t'2024-01-11T17:14:32.154Z' STOP t'2024-04-10T17:14:32.154Z'
2024-04-10 13:14:48,848 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:50,543 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-10 13:14:50,544 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-10 13:14:50,577 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-10 13:14:50,577 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:51,636 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-10 13:14:51,908 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('netsh.exe','shutdown.exe','powershell.exe','cmd.exe','conhost.exe','badidea.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-10 13:14:51,950 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:14:53,637 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-10 13:14:53,638 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-10 13:14:53,674 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-10 13:14:53,675 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:14:54,672 - file - DEBUG - mqtt -- publishing msg ***
2024-04-10 13:14:54,672 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-10 13:14:54,672 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "968f0f17b9894b7cae2f86dc337b8891", "created": 1712769294663, "from": "oif-device-priapus-1712769093949"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-10 13:15:24,346 - file - DEBUG - mqtt -- msg received ***
2024-04-10 13:15:24,346 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-10 13:15:24,346 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a911acb605b64f2daa1a799eb06e0865", "created": 1712769323154, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-10 13:15:24,367 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-10 13:15:24,368 - kestrel.config - DEBUG - Loading default config file...
2024-04-10 13:15:24,388 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-10 13:15:24,389 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-10 13:15:24,389 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-10 13:15:24,389 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-210cff4e-73ce-4ef2-b139-ec8c7ecb8af6.
2024-04-10 13:15:25,130 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:15:26,835 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-10 13:15:26,835 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-10 13:15:26,866 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-10 13:15:26,867 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:15:28,547 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-10 13:15:28,557 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-10 13:15:28,557 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-10 13:15:28,627 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:15:30,291 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-10 13:15:30,292 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-10 13:15:30,387 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-10 13:15:30,388 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:15:31,484 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-10 13:15:31,485 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-10 13:15:31,493 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-10 13:15:31,789 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.14','172.16.1.13')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-10 13:15:31,833 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-10 13:15:33,500 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-10 13:15:33,501 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-10 13:15:33,532 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-10 13:15:33,533 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-10 13:15:34,186 - file - DEBUG - mqtt -- publishing msg ***
2024-04-10 13:15:34,186 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-10 13:15:34,186 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a911acb605b64f2daa1a799eb06e0865", "created": 1712769334185, "from": "oif-device-priapus-1712769093949"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-11 08:44:49,018 - file - DEBUG - Debug FILE -- App Started
2024-04-11 08:44:49,603 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-11 10:32:45,919 - file - DEBUG - mqtt -- msg received ***
2024-04-11 10:32:45,923 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 10:32:45,924 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "d11dd11d74b248a782e66afdb9025bd7", "created": 1712845963614, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-11 10:32:46,010 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 10:32:46,010 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 10:32:46,011 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "d11dd11d74b248a782e66afdb9025bd7", "created": 1712845966008, "from": "oif-device-priapus-1712839488999"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-11 14:19:16,036 - file - DEBUG - Debug FILE -- App Started
2024-04-11 14:19:16,484 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-11 14:19:44,198 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:19:44,199 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:19:44,199 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "6b30708e548c4371a1b4797b8e8472ee", "created": 1712859582252, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-11 14:19:44,276 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:19:44,276 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:19:44,276 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "6b30708e548c4371a1b4797b8e8472ee", "created": 1712859584273, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-11 14:20:19,048 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:20:19,048 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:20:19,049 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "aa7cbbd564bb4e20b1c1cab27bee4216", "created": 1712859617115, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-11 14:20:19,075 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 14:20:19,077 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 14:20:19,097 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 14:20:19,098 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 14:20:19,098 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 14:20:19,099 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-7c91d0e8-e4db-49ef-84b2-834f4a560550.
2024-04-11 14:20:20,712 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:20:22,625 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-11 14:20:22,626 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-11 14:20:22,657 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-11 14:20:22,658 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:20:23,688 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-11 14:20:23,951 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-12T18:20:20.497Z' STOP t'2024-04-11T18:20:20.497Z'
2024-04-11 14:20:24,021 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:20:25,685 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:20:25,686 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 14:20:25,710 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:20:25,711 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:20:27,066 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-11 14:20:27,305 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-12T18:20:20.506Z' STOP t'2024-04-11T18:20:20.506Z'
2024-04-11 14:20:27,356 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:20:29,152 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:29,153 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:29,426 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:29,428 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:29,597 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:29,598 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:29,805 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:29,806 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:30,016 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:30,016 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:30,259 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:30,260 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:30,498 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:30,499 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:30,735 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:30,736 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:30,973 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:30,975 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:31,259 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:31,260 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:31,437 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:31,437 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 14:20:31,483 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:31,483 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-11 14:20:31,517 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 14:20:31,517 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:21:08,593 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:21:08,593 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:21:08,593 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "aa7cbbd564bb4e20b1c1cab27bee4216", "created": 1712859668587, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-11 14:26:45,295 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:26:45,295 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:26:45,295 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "238904114dd64d64b922a4f0c7cabbe1", "created": 1712860003347, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 14:26:45,319 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 14:26:45,320 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 14:26:45,345 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 14:26:45,345 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 14:26:45,346 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 14:26:45,346 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-eac95894-6d6e-453b-b3e8-705279d3a1b2.
2024-04-11 14:26:46,137 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:26:47,893 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:26:47,893 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 14:26:47,925 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:26:47,925 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:26:49,613 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 14:26:49,624 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-11 14:26:49,965 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-12T18:26:46.044Z' STOP t'2024-04-11T18:26:46.044Z'
2024-04-11 14:26:50,006 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:26:51,776 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 14:26:51,776 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-11 14:26:51,809 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 14:26:51,810 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:26:52,782 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-11 14:26:53,021 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-12T18:26:46.044Z' STOP t'2024-04-11T18:26:46.044Z'
2024-04-11 14:26:53,060 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:26:54,844 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 14:26:54,845 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-11 14:26:54,878 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 14:26:54,879 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:26:55,390 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-11 14:26:55,622 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-12T18:26:46.045Z' STOP t'2024-04-11T18:26:46.045Z'
2024-04-11 14:26:55,661 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:26:57,437 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 14:26:57,438 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-11 14:26:57,474 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 14:26:57,474 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:26:57,996 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-11 14:26:58,298 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-12T18:26:46.045Z' STOP t'2024-04-11T18:26:46.045Z'
2024-04-11 14:26:58,348 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:00,056 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:00,057 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 14:27:00,091 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:00,091 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:27:01,163 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:27:01,164 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:27:01,164 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "238904114dd64d64b922a4f0c7cabbe1", "created": 1712860021154, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-11 14:27:43,718 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:27:43,718 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:27:43,718 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "13ead35ebb9a4588a47f31d9dc3534fa", "created": 1712860061772, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 14:27:43,740 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 14:27:43,741 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 14:27:43,765 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 14:27:43,765 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 14:27:43,766 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 14:27:43,766 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-268e03e6-1a8c-4dbd-8fda-e55ccfb62d60.
2024-04-11 14:27:44,677 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:46,463 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:46,464 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 14:27:46,488 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:46,489 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:27:47,577 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 14:27:47,587 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-11 14:27:47,823 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-12T18:27:44.593Z' STOP t'2024-04-11T18:27:44.593Z'
2024-04-11 14:27:47,864 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:49,584 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 14:27:49,585 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-11 14:27:49,612 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 14:27:49,613 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:27:50,588 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-11 14:27:50,891 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-12T18:27:44.594Z' STOP t'2024-04-11T18:27:44.594Z'
2024-04-11 14:27:50,934 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:52,671 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 14:27:52,672 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-11 14:27:52,700 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 14:27:52,700 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:27:54,267 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-11 14:27:54,536 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-12T18:27:44.595Z' STOP t'2024-04-11T18:27:44.595Z'
2024-04-11 14:27:54,580 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:56,307 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 14:27:56,308 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-11 14:27:56,336 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 14:27:56,337 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:27:57,353 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-11 14:27:57,596 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-12T18:27:44.595Z' STOP t'2024-04-11T18:27:44.595Z'
2024-04-11 14:27:57,638 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:27:59,370 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:59,371 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 14:27:59,406 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 14:27:59,407 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:00,972 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-11 14:28:01,222 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-c4c3-65e8-bb10-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}')] START t'2024-01-12T18:27:44.598Z' STOP t'2024-04-11T18:27:44.598Z'
2024-04-11 14:28:01,269 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:28:02,944 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 14:28:02,945 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-11 14:28:02,974 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 14:28:02,974 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:04,295 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-11 14:28:04,606 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('badidea.exe','netsh.exe','shutdown.exe','conhost.exe','powershell.exe','cmd.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-11 14:28:04,659 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:28:06,419 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-11 14:28:06,420 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-11 14:28:06,461 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-11 14:28:06,461 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:07,552 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:28:07,552 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:28:07,553 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "13ead35ebb9a4588a47f31d9dc3534fa", "created": 1712860087541, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-11 14:28:19,767 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:28:19,767 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:28:19,767 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a62af43872b24e65a7f3139c4f6f457f", "created": 1712860097847, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 14:28:19,790 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 14:28:19,792 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 14:28:19,811 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 14:28:19,811 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 14:28:19,812 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 14:28:19,812 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-e6ef64ef-f2fb-44ac-86f0-0f5929a375dc.
2024-04-11 14:28:20,625 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:28:22,339 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 14:28:22,339 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-11 14:28:22,371 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 14:28:22,371 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:24,039 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 14:28:24,049 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-11 14:28:24,049 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 14:28:24,109 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:28:25,822 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-11 14:28:25,823 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-11 14:28:25,924 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-11 14:28:25,925 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:27,010 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-11 14:28:27,011 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 14:28:27,018 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-11 14:28:27,335 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.13','172.16.1.14')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-11 14:28:27,380 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 14:28:29,068 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-11 14:28:29,068 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-11 14:28:29,103 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-11 14:28:29,103 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 14:28:30,234 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:28:30,234 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:28:30,234 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a62af43872b24e65a7f3139c4f6f457f", "created": 1712860110233, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-11 14:59:55,852 - file - DEBUG - mqtt -- msg received ***
2024-04-11 14:59:55,853 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 14:59:55,853 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "1f23c44291164cc69ca987cc21c12104", "created": 1712861993594, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-11 14:59:55,894 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 14:59:55,895 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 14:59:55,895 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "1f23c44291164cc69ca987cc21c12104", "created": 1712861995891, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-11 15:19:55,197 - file - DEBUG - mqtt -- msg received ***
2024-04-11 15:19:55,197 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 15:19:55,197 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0ecda66b45444707adfab824f34f2c3e", "created": 1712863193295, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-11 15:19:55,275 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 15:19:55,275 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 15:19:55,276 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0ecda66b45444707adfab824f34f2c3e", "created": 1712863195268, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": [{"filename": "oc2-hunt-3.jhf", "fullpath": "./hunts/jinja/oc2-hunt-3.jhf"}, {"filename": "oc2-hunt-1.jhf", "fullpath": "./hunts/jinja/oc2-hunt-1.jhf"}, {"filename": "oc2-hunt-4.jhf", "fullpath": "./hunts/jinja/oc2-hunt-4.jhf"}, {"filename": "oc2-hunt-2.jhf", "fullpath": "./hunts/jinja/oc2-hunt-2.jhf"}]}}}}
2024-04-11 15:21:37,736 - file - DEBUG - mqtt -- msg received ***
2024-04-11 15:21:37,736 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 15:21:37,736 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "090bd312156e4fdebc71c745196a3cf2", "created": 1712863295857, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-11 15:21:37,768 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 15:21:37,770 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 15:21:37,817 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 15:21:37,818 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 15:21:37,819 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 15:21:37,824 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-27603e6c-506e-4650-926e-335ba18df82e.
2024-04-11 15:21:39,123 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:21:41,276 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-11 15:21:41,277 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 1
2024-04-11 15:21:41,339 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 1, 'relation': 'eq'}
2024-04-11 15:21:41,340 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:21:42,540 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch disablefw_local.
2024-04-11 15:21:43,192 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd78-65e8-9610-000000000500}'] START t'2024-01-12T19:21:39.033Z' STOP t'2024-04-11T19:21:39.033Z'
2024-04-11 15:21:43,278 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:21:45,361 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:21:45,362 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 15:21:45,393 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:21:45,393 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:21:46,085 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch hosts_local.
2024-04-11 15:21:46,457 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [x-oca-asset:device_id = 'dd94cc1a-b670-4c10-82f3-65fd39929711'] START t'2024-01-12T19:21:39.034Z' STOP t'2024-04-11T19:21:39.034Z'
2024-04-11 15:21:46,518 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:21:48,939 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:48,941 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:49,380 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:49,381 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:49,695 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:49,697 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:50,027 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:50,028 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:50,349 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:50,351 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:50,788 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:50,790 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:51,165 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:51,166 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:51,467 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:51,470 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:51,821 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:51,823 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:52,362 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:52,363 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:52,707 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:52,709 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2000
2024-04-11 15:21:52,770 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:52,770 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 122
2024-04-11 15:21:52,827 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 10000, 'relation': 'gte'}
2024-04-11 15:21:52,827 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:23:00,258 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 15:23:00,259 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 15:23:00,259 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "090bd312156e4fdebc71c745196a3cf2", "created": 1712863380251, "from": "oif-device-priapus-1712859556016"}, "body": {"openc2": {"response": {"status": 200, "results": {"disablefw": {"name": "netsh.exe", "pid": 12232, "x_unique_id": "{dd94cc1a-bd78-65e8-9610-000000000500}", "command_line": "netsh  advfirewall set allprofiles state off", "id": "process--7dccc952-6663-579d-ba34-5a8a489de95d", "cwd": "C:\\WINDOWS\\system32\\", "x_window_title": null, "binary_ref.name": "netsh.exe", "binary_ref.id": "file--b79adcff-5054-5b1f-96af-500475b71f21", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "type": "process"}, "hosts": {"hostname": "win10-casp-ws2", "name": "win10-casp-ws2", "device_id": "dd94cc1a-b670-4c10-82f3-65fd39929711", "architecture": "x86_64", "id": "x-oca-asset--254a9cca-587a-56fc-8f3e-6d62d4979eab", "type": "x-oca-asset"}}}}}}
2024-04-11 15:24:20,611 - file - DEBUG - Debug FILE -- App Started
2024-04-11 15:24:21,117 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-11 15:26:09,575 - file - DEBUG - mqtt -- msg received ***
2024-04-11 15:26:09,576 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 15:26:09,576 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "21547733c3fe46d8bcf16913ddb1179d", "created": 1712863567694, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-2.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 15:26:09,635 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 15:26:09,637 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 15:26:09,684 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 15:26:09,684 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 15:26:09,684 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 15:26:09,686 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-4673468b-0575-4a9c-b3b3-cca863af525b.
2024-04-11 15:26:12,287 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:26:14,482 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:26:14,482 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 15:26:14,523 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:26:14,524 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:26:15,755 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 15:26:15,767 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-11 15:26:16,208 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-12T19:26:11.955Z' STOP t'2024-04-11T19:26:11.955Z'
2024-04-11 15:26:16,277 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:26:18,254 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 15:26:18,255 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-11 15:26:18,295 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 15:26:18,295 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:26:19,534 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-11 15:26:19,950 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-12T19:26:11.955Z' STOP t'2024-04-11T19:26:11.955Z'
2024-04-11 15:26:20,021 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:26:22,080 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 15:26:22,080 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-11 15:26:22,123 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 15:26:22,124 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:26:22,725 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-11 15:26:23,114 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-12T19:26:11.956Z' STOP t'2024-04-11T19:26:11.956Z'
2024-04-11 15:26:23,172 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:26:25,243 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 15:26:25,245 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-11 15:26:25,291 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 15:26:25,291 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:26:26,896 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-11 15:26:27,345 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-12T19:26:11.956Z' STOP t'2024-04-11T19:26:11.956Z'
2024-04-11 15:26:27,401 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:26:29,382 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:26:29,382 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 15:26:29,425 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:26:29,426 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:26:30,636 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 15:26:30,637 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 15:26:30,637 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "21547733c3fe46d8bcf16913ddb1179d", "created": 1712863590619, "from": "oif-device-priapus-1712863460578"}, "body": {"openc2": {"response": {"status": 200, "results": {"ancestors": {"name": "WINWORD.EXE", "pid": 11084, "x_unique_id": "{dd94cc1a-8997-65e7-2e0e-000000000500}", "command_line": "\"C:\\Program Files\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"C:\\Users\\Administrator\\Desktop\\More Malware.docx\"", "id": "process--ab617e90-0eac-5b92-8b29-507f94361217", "cwd": null, "x_window_title": null, "binary_ref.name": "WINWORD.EXE", "binary_ref.id": "file--0ab8718e-ed73-52b7-b785-27b3970697cf", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Program Files\\Microsoft Office\\Office14", "binary_ref.parent_directory_ref.id": "directory--d1993953-9aa0-55d5-9112-4afbba6ed1b5", "parent_ref.name": null, "parent_ref.pid": null, "parent_ref.x_unique_id": null, "parent_ref.command_line": null, "parent_ref.id": null, "parent_ref.cwd": null, "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": null, "parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.id": null, "parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": null, "parent_ref.binary_ref.id": null, "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.creator_user_ref.x_domain": null, "parent_ref.creator_user_ref.user_id": null, "parent_ref.creator_user_ref.account_login": null, "parent_ref.creator_user_ref.id": null, "creator_user_ref.x_domain": "BLUE", "creator_user_ref.user_id": "Administrator", "creator_user_ref.account_login": "Administrator", "creator_user_ref.id": "user-account--0d9de746-bd55-5dce-9788-742775089822", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}}}}}}
2024-04-11 15:27:31,969 - file - DEBUG - mqtt -- msg received ***
2024-04-11 15:27:31,969 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 15:27:31,969 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "84200a8978b248dfb284d78be0461bc8", "created": 1712863650107, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-3.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:disablefw.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 15:27:32,005 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 15:27:32,007 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 15:27:32,043 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 15:27:32,044 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 15:27:32,044 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 15:27:32,045 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-3f6c07b4-0007-433e-b95f-c9f29de7cad6.
2024-04-11 15:27:33,377 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:35,450 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:27:35,451 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 15:27:35,495 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:27:35,495 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:36,848 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 15:27:36,862 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p2s_local.
2024-04-11 15:27:37,486 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-bd59-65e8-9410-000000000500}'] START t'2024-01-12T19:27:33.240Z' STOP t'2024-04-11T19:27:33.240Z'
2024-04-11 15:27:37,556 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:39,480 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 15:27:39,481 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 4
2024-04-11 15:27:39,516 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 4, 'relation': 'eq'}
2024-04-11 15:27:39,516 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:40,686 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p3s_local.
2024-04-11 15:27:41,162 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9565-65e8-4b0f-000000000500}'] START t'2024-01-12T19:27:33.240Z' STOP t'2024-04-11T19:27:33.240Z'
2024-04-11 15:27:41,227 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:43,297 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 15:27:43,298 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 8
2024-04-11 15:27:43,337 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 8, 'relation': 'eq'}
2024-04-11 15:27:43,337 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:44,390 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p4s_local.
2024-04-11 15:27:44,786 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-9564-65e8-470f-000000000500}'] START t'2024-01-12T19:27:33.241Z' STOP t'2024-04-11T19:27:33.241Z'
2024-04-11 15:27:44,844 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:46,871 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 15:27:46,872 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 5
2024-04-11 15:27:46,916 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 5, 'relation': 'eq'}
2024-04-11 15:27:46,917 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:48,154 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch p5s_local.
2024-04-11 15:27:48,595 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id = '{dd94cc1a-8997-65e7-2e0e-000000000500}'] START t'2024-01-12T19:27:33.241Z' STOP t'2024-04-11T19:27:33.241Z'
2024-04-11 15:27:48,676 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:50,914 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:27:50,915 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 2
2024-04-11 15:27:50,959 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 2, 'relation': 'eq'}
2024-04-11 15:27:50,960 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:51,987 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch siblings_local.
2024-04-11 15:27:52,552 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [process:x_unique_id IN ('{dd94cc1a-9564-65e8-480f-000000000500}','{dd94cc1a-bd59-65e8-9410-000000000500}','{dd94cc1a-c4c3-65e8-ba10-000000000500}','{dd94cc1a-9564-65e8-470f-000000000500}','{dd94cc1a-bd59-65e8-9510-000000000500}','{dd94cc1a-9565-65e8-4b0f-000000000500}','{dd94cc1a-bd78-65e8-9610-000000000500}','{dd94cc1a-c4c3-65e8-bb10-000000000500}')] START t'2024-01-12T19:27:33.244Z' STOP t'2024-04-11T19:27:33.244Z'
2024-04-11 15:27:52,684 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:54,806 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 15:27:54,807 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-11 15:27:54,862 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 15:27:54,863 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:27:56,503 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch binaries_local.
2024-04-11 15:27:57,030 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [file:name IN ('cmd.exe','badidea.exe','conhost.exe','shutdown.exe','powershell.exe','netsh.exe')] START t'2024-03-06T16:05:10.453Z' STOP t'2024-03-06T19:37:19.957Z'
2024-04-11 15:27:57,157 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:27:59,429 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-11 15:27:59,430 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 174
2024-04-11 15:27:59,493 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 174, 'relation': 'eq'}
2024-04-11 15:27:59,493 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:28:01,670 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 15:28:01,670 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 15:28:01,671 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "84200a8978b248dfb284d78be0461bc8", "created": 1712863681653, "from": "oif-device-priapus-1712863460578"}, "body": {"openc2": {"response": {"status": 200, "results": {"siblings": {"name": "conhost.exe", "pid": 2364, "x_unique_id": "{dd94cc1a-bd59-65e8-9510-000000000500}", "command_line": "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1", "id": "process--046e0210-913d-576f-bc9b-5910c5672479", "cwd": "C:\\WINDOWS", "x_window_title": null, "binary_ref.name": "conhost.exe", "binary_ref.id": "file--9d6a9721-9948-53ff-83f8-3865bc03c727", "binary_ref.hashes.'SHA-256'": null, "binary_ref.hashes.MD5": null, "binary_ref.x_path": null, "binary_ref.x_extension": null, "binary_ref.x_target_path": null, "binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.name": "cmd.exe", "parent_ref.pid": 5268, "parent_ref.x_unique_id": "{dd94cc1a-bd59-65e8-9410-000000000500}", "parent_ref.command_line": "cmd.exe", "parent_ref.id": "process--4527beab-7e6d-5587-bb74-94554996724d", "parent_ref.cwd": "C:\\WINDOWS\\system32\\", "parent_ref.x_window_title": null, "parent_ref.parent_ref.name": "badidea.exe", "parent_ref.parent_ref.pid": 3096, "parent_ref.parent_ref.x_unique_id": "{dd94cc1a-9565-65e8-4b0f-000000000500}", "parent_ref.parent_ref.command_line": "\"C:\\Users\\Public\\badidea.exe\" ", "parent_ref.parent_ref.id": "process--f42543ad-54ba-5878-a0b7-2800f019934b", "parent_ref.parent_ref.cwd": "C:\\Users\\Administrator\\Documents\\", "parent_ref.parent_ref.x_window_title": null, "parent_ref.binary_ref.name": "cmd.exe", "parent_ref.binary_ref.id": "file--bdb40b46-65f7-5a74-9516-60746576d4e7", "parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.binary_ref.hashes.MD5": null, "parent_ref.binary_ref.x_path": null, "parent_ref.binary_ref.x_extension": null, "parent_ref.binary_ref.x_target_path": null, "parent_ref.binary_ref.parent_directory_ref.path": "C:\\Windows\\System32", "parent_ref.binary_ref.parent_directory_ref.id": "directory--0a58d0c1-59e6-5afd-8252-dcd3f13e5622", "parent_ref.creator_user_ref.x_domain": "NT AUTHORITY", "parent_ref.creator_user_ref.user_id": "SYSTEM", "parent_ref.creator_user_ref.account_login": "SYSTEM", "parent_ref.creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "creator_user_ref.x_domain": "NT AUTHORITY", "creator_user_ref.user_id": "SYSTEM", "creator_user_ref.account_login": "SYSTEM", "creator_user_ref.id": "user-account--2d7bb9a7-98f3-5d8e-b6e0-9a10ef930561", "parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.creator_user_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.name": null, "parent_ref.parent_ref.parent_ref.parent_ref.pid": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_unique_id": null, "parent_ref.parent_ref.parent_ref.parent_ref.command_line": null, "parent_ref.parent_ref.parent_ref.parent_ref.id": null, "parent_ref.parent_ref.parent_ref.parent_ref.cwd": null, "parent_ref.parent_ref.parent_ref.parent_ref.x_window_title": null, "parent_ref.parent_ref.parent_ref.binary_ref.name": null, "parent_ref.parent_ref.parent_ref.binary_ref.id": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.'SHA-256'": null, "parent_ref.parent_ref.parent_ref.binary_ref.hashes.MD5": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_extension": null, "parent_ref.parent_ref.parent_ref.binary_ref.x_target_path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.path": null, "parent_ref.parent_ref.parent_ref.binary_ref.parent_directory_ref.id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.x_domain": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.user_id": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.account_login": null, "parent_ref.parent_ref.parent_ref.creator_user_ref.id": null, "type": "process"}, "binaries": {"name": "powershell.exe", "id": "file--0daceb39-1883-534b-b6ab-ebcafab74cfa", "hashes.'SHA-256'": null, "hashes.MD5": null, "parent_directory_ref.path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0", "parent_directory_ref.id": "directory--c18706ba-12ab-53b2-9524-6ef585f3127a", "type": "file"}}}}}}
2024-04-11 15:29:01,408 - file - DEBUG - mqtt -- msg received ***
2024-04-11 15:29:01,408 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-11 15:29:01,408 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "27861ae069ee47e89da149987674a5d1", "created": 1712863739506, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-4.jhf"}}, "args": {"th": {"huntargs": {"string_args": ["filename_1:siblings.json", "filename_2:hosts.json"]}}}}}}}
2024-04-11 15:29:01,454 - kestrel.session - DEBUG - Establish session with session_id: None, runtime_dir: None, store_path:None, debug_mode:False
2024-04-11 15:29:01,456 - kestrel.config - DEBUG - Loading default config file...
2024-04-11 15:29:01,495 - kestrel.config - DEBUG - User configuration file not exist.
2024-04-11 15:29:01,495 - kestrel.config - DEBUG - User configuration loaded: {}
2024-04-11 15:29:01,495 - kestrel.config - DEBUG - Updating default config with user config...
2024-04-11 15:29:01,496 - kestrel.session - DEBUG - create new session runtime_directory: /tmp/kestrel-session-1001-5f2f3c87-fe12-484c-b16b-addc86e56ebe.
2024-04-11 15:29:02,992 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:29:05,031 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 15:29:05,031 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 20
2024-04-11 15:29:05,070 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 20, 'relation': 'eq'}
2024-04-11 15:29:05,070 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:29:06,361 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 15:29:06,381 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_local.
2024-04-11 15:29:06,381 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 15:29:06,483 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:29:08,470 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-11 15:29:08,471 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 37
2024-04-11 15:29:08,515 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 37, 'relation': 'eq'}
2024-04-11 15:29:08,516 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:29:09,846 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch nt_fw_local.
2024-04-11 15:29:09,847 - kestrel.codegen.prefetch - INFO - prefetch does not happen without STIX pattern generated.
2024-04-11 15:29:09,861 - kestrel.codegen.prefetch - INFO - generate pattern for prefetch remoteip_local.
2024-04-11 15:29:10,275 - kestrel.codegen.prefetch - INFO - STIX pattern generated in prefetch: [ipv4-addr:value IN ('172.16.1.14','172.16.1.13')] START t'2024-03-06T16:04:53.000Z' STOP t'2024-03-06T19:02:34.839Z'
2024-04-11 15:29:10,333 - stix_shifter_modules.elastic_ecs.stix_translation.query_translator - INFO - Converting STIX2 Pattern to data source query
2024-04-11 15:29:12,316 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-11 15:29:12,317 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 121
2024-04-11 15:29:12,360 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of hits:{'value': 121, 'relation': 'eq'}
2024-04-11 15:29:12,361 - stix_shifter_modules.elastic_ecs.stix_transmission.connector - ERROR - Total # of records: 0
2024-04-11 15:29:14,203 - file - DEBUG - mqtt -- publishing msg ***
2024-04-11 15:29:14,203 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-11 15:29:14,203 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "27861ae069ee47e89da149987674a5d1", "created": 1712863754202, "from": "oif-device-priapus-1712863460578"}, "body": {"openc2": {"response": {"status": 200, "results": {"remoteip": {"value": "172.16.1.14", "id": "ipv4-addr--63150511-f347-50d6-bb0d-e7d9ac7bd017", "type": "ipv4-addr"}}}}}}
2024-04-16 10:35:29,281 - file - DEBUG - Debug FILE -- App Started
2024-04-16 10:35:29,733 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-16 10:36:56,661 - file - DEBUG - Debug FILE -- App Started
2024-04-16 10:36:57,330 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-16 10:37:03,747 - file - DEBUG - mqtt -- msg received ***
2024-04-16 10:37:03,747 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 10:37:03,747 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "d3cf5b10-cb5c-45d4-8d25-8964b93b7080", "from": "mqtt_tester-priapus-1713278223443", "to": "test_receiver", "created": 1713278223444}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-16 10:37:03,759 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 10:37:03,759 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 10:37:03,759 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "d3cf5b10-cb5c-45d4-8d25-8964b93b7080", "created": 1713278223758, "from": "oif-device-priapus-1713278216644"}, "body": {"openc2": {"response": {"status": 200, "results": "investigate action completed by OIF Device"}}}}
2024-04-16 12:46:40,125 - file - DEBUG - Debug FILE -- App Started
2024-04-16 12:46:40,640 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-16 13:17:30,632 - file - DEBUG - mqtt -- msg received ***
2024-04-16 13:17:30,632 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 13:17:30,633 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "0c73b8812ee0460db2236253bfe184ad", "created": 1713287849458, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 13:17:30,648 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 13:17:30,648 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 13:17:30,648 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "0c73b8812ee0460db2236253bfe184ad", "created": 1713287850646, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 13:52:54,533 - file - DEBUG - mqtt -- msg received ***
2024-04-16 13:52:54,533 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 13:52:54,533 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "49c8b3df48fc40b9a9bd30e66e2153ea", "created": 1713289971900, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 13:52:54,547 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 13:52:54,547 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 13:52:54,547 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "49c8b3df48fc40b9a9bd30e66e2153ea", "created": 1713289974546, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 14:31:46,192 - file - DEBUG - mqtt -- msg received ***
2024-04-16 14:31:46,192 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 14:31:46,192 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "c37ed1d7d46f47b89ab61094206adf7f", "created": 1713292304943, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 14:31:46,205 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 14:31:46,205 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 14:31:46,205 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "c37ed1d7d46f47b89ab61094206adf7f", "created": 1713292306204, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 14:32:53,784 - file - DEBUG - mqtt -- msg received ***
2024-04-16 14:32:53,784 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 14:32:53,784 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "2b945db3598e4fee87abdc1986066e54", "created": 1713292372666, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 14:32:53,800 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 14:32:53,800 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 14:32:53,800 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "2b945db3598e4fee87abdc1986066e54", "created": 1713292373799, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 14:34:19,491 - file - DEBUG - mqtt -- msg received ***
2024-04-16 14:34:19,491 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 14:34:19,491 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "a06b783ea7d9408b8d48d4897410ea9f", "created": 1713292458372, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 14:34:19,504 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 14:34:19,504 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 14:34:19,504 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "a06b783ea7d9408b8d48d4897410ea9f", "created": 1713292459504, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 14:37:04,565 - file - DEBUG - mqtt -- msg received ***
2024-04-16 14:37:04,567 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 14:37:04,568 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "579efa36c1394ecb9988f30b13cd84be", "created": 1713292623450, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 14:37:04,584 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 14:37:04,584 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 14:37:04,584 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "579efa36c1394ecb9988f30b13cd84be", "created": 1713292624584, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-16 14:39:05,194 - file - DEBUG - mqtt -- msg received ***
2024-04-16 14:39:05,194 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-16 14:39:05,195 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "355c39f9b72c4262a6657a0919c37aa9", "created": 1713292744038, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-16 14:39:05,216 - file - DEBUG - mqtt -- publishing msg ***
2024-04-16 14:39:05,216 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-16 14:39:05,216 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "355c39f9b72c4262a6657a0919c37aa9", "created": 1713292745216, "from": "oif-device-priapus-1713286000107"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-17 14:06:55,249 - file - DEBUG - Debug FILE -- App Started
2024-04-17 14:06:55,858 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-17 14:07:09,531 - file - DEBUG - mqtt -- msg received ***
2024-04-17 14:07:09,531 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-17 14:07:09,531 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "efafe403-a3d4-431f-9eba-c23c12430a7b", "from": "mqtt_tester-priapus-1713377229148", "to": "test_receiver", "created": 1713377229149}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-17 14:07:09,547 - file - DEBUG - mqtt -- publishing msg ***
2024-04-17 14:07:09,547 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-17 14:07:09,547 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "efafe403-a3d4-431f-9eba-c23c12430a7b", "created": 1713377229545, "from": "oif-device-priapus-1713377215231"}, "body": {"openc2": {"response": {"status": 200, "results": "investigate action completed by OIF Device"}}}}
2024-04-17 14:09:35,147 - file - DEBUG - mqtt -- msg received ***
2024-04-17 14:09:35,147 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-17 14:09:35,148 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "4ac0520f36b442a49b87fb17e3a4973c", "created": 1713377373975, "from": "oc2-orch2-priapus"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-17 14:09:35,162 - file - DEBUG - mqtt -- publishing msg ***
2024-04-17 14:09:35,163 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-17 14:09:35,163 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "4ac0520f36b442a49b87fb17e3a4973c", "created": 1713377375162, "from": "oif-device-priapus-1713377215231"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}
2024-04-17 14:20:36,282 - file - DEBUG - Debug FILE -- App Started
2024-04-17 14:20:36,869 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-17 14:20:47,718 - file - DEBUG - mqtt -- msg received ***
2024-04-17 14:20:47,718 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-17 14:20:47,718 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "e5d997e9-6945-497c-9a37-ba2cef830f1c", "from": "mqtt_tester-priapus-1713378047319", "to": "test_receiver", "created": 1713378047320}, "body": {"openc2": {"request": {"action": "investigate", "target": {"th": {"hunt": "./hunts/jinja/oc2-hunt-1.jhf"}}}}}}
2024-04-17 14:20:47,734 - file - DEBUG - mqtt -- publishing msg ***
2024-04-17 14:20:47,734 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-17 14:20:47,735 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "e5d997e9-6945-497c-9a37-ba2cef830f1c", "created": 1713378047732, "from": "oif-device-priapus-1713378036263"}, "body": {"openc2": {"response": {"status": 200, "results": "investigate action completed by OIF Device"}}}}
2024-04-17 14:21:04,144 - file - DEBUG - Debug FILE -- App Started
2024-04-17 14:21:04,257 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-17 14:32:06,187 - file - DEBUG - Debug FILE -- App Started
2024-04-17 14:32:06,743 - asyncio - DEBUG - Using selector: EpollSelector
2024-04-17 14:41:43,567 - file - DEBUG - mqtt -- msg received ***
2024-04-17 14:41:43,567 - file - DEBUG - mqtt -- topic: oc2/cmd/ap/hunt
2024-04-17 14:41:43,567 - file - DEBUG - mqtt -- msg: {"headers": {"request_id": "ee5aac85d73c49e4b825f9ebbfc36fea", "created": 1713379301354, "from": "oc2-orch2-MacBook-Pro"}, "body": {"openc2": {"request": {"action": "query", "target": {"th": {"huntflows": {"path": "./"}}}}}}}
2024-04-17 14:41:43,588 - file - DEBUG - mqtt -- publishing msg ***
2024-04-17 14:41:43,588 - file - DEBUG - mqtt -- topic: oc2/rsp
2024-04-17 14:41:43,588 - file - DEBUG - mqtt -- rsp msg: {"headers": {"request_id": "ee5aac85d73c49e4b825f9ebbfc36fea", "created": 1713379303585, "from": "oif-device-priapus-1713378726168"}, "body": {"openc2": {"response": {"status": 200, "results": "query action completed by OIF Device"}}}}