534500x800000000000000088077182Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.676{ec28c72e-9293-62e1-a8c4-fdd7e9550000}17282/usr/bin/base64root 154100x800000000000000088077180Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.675{ec28c72e-9293-62e1-a8c4-fdd7e9550000}17282/usr/bin/base64-----base64 -de/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-9293-62e1-6852-7dd320560000}17280/bin/dashshroot 154100x800000000000000088077178Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.674{ec28c72e-9293-62e1-6852-7dd320560000}17280/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 -decod > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{00000000-0000-0000-0000-000000000000}16263--- 534500x800000000000000088077012Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.624{ec28c72e-9288-62e1-a844-aa6e62550000}17273/usr/bin/base64root 154100x800000000000000088077011Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.622{ec28c72e-9288-62e1-a844-aa6e62550000}17273/usr/bin/base64-----base64/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-9288-62e1-6812-195ed4550000}17271/bin/dashshroot 154100x800000000000000088077008Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.621{ec28c72e-9288-62e1-6812-195ed4550000}17271/usr/bin/base64-----sh -c echo "echo Hello from the Atomic Red Team && uname -v" | base64 > /tmp/encoded.dat/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{00000000-0000-0000-0000-000000000000}16263--- 534500x800000000000000088076308Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.949{ec28c72e-927f-62e1-a844-726b73550000}17258/usr/bin/base64root 154100x800000000000000088076307Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.947{ec28c72e-927f-62e1-a844-726b73550000}17258/usr/bin/base64-----base64 -dec/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-927f-62e1-6832-625a24560000}17255/bin/dashshroot 154100x800000000000000088076303Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.946{ec28c72e-927f-62e1-6832-625a24560000}17255/bin/dash-----sh -c cat /tmp/encoded.dat | base64 -d > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-6e44-62e1-bd1d-3e96fa550000}16263/opt/microsoft/powershell/7/pwshpwshroot 154100x80000000000000001000001Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:01.000{ec28c72e-9293-62e1-a8c4-fdd7e9550006}20001/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 -decode > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot 154100x80000000000000001000002Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:02.000{ec28c72e-9293-62e1-a8c4-fdd7e9550005}20002/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 -d > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot 154100x80000000000000001000003Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:03.000{ec28c72e-9293-62e1-a8c4-fdd7e9550004}20003/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 --deco/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot 154100x80000000000000001000004Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:04.000{ec28c72e-9293-62e1-a8c4-fdd7e9550003}20004/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 --de/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot 154100x80000000000000001000005Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:05.000{ec28c72e-9293-62e1-a8c4-fdd7e9550002}20005/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 --d/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot 154100x80000000000000001000006Linux-Sysmon/Operationaltest-linux-system-2023-06-24 10:00:06.000{ec28c72e-9293-62e1-a8c4-fdd7e9550001}20006/usr/bin/base64-----sh -c cat /tmp/encoded.dat | base64 -d/tmproot{ec28c72e-927f-62e1-6832-625a24560000}01no level-{ec28c72e-927f-62e1-6832-625a24560000}20000/bin/dashshroot