534500x800000000000000088077182Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.676{ec28c72e-9293-62e1-a8c4-fdd7e9550000}17282/usr/bin/base64root 154100x800000000000000088077180Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.675{ec28c72e-9293-62e1-a8c4-fdd7e9550000}17282/usr/bin/base64-----base64 -d/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-9293-62e1-6852-7dd320560000}17280/bin/dashshroot 154100x800000000000000088077178Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:31.674{ec28c72e-9293-62e1-6852-7dd320560000}17280/bin/dash-----sh -c cat /tmp/encoded.dat | base64 -d > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{00000000-0000-0000-0000-000000000000}16263--- 534500x800000000000000088077012Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.624{ec28c72e-9288-62e1-a844-aa6e62550000}17273/usr/bin/base64root 154100x800000000000000088077011Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.622{ec28c72e-9288-62e1-a844-aa6e62550000}17273/usr/bin/base64-----base64/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-9288-62e1-6812-195ed4550000}17271/bin/dashshroot 154100x800000000000000088077008Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:20.621{ec28c72e-9288-62e1-6812-195ed4550000}17271/bin/dash-----sh -c echo "echo Hello from the Atomic Red Team && uname -v" | base64 > /tmp/encoded.dat/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{00000000-0000-0000-0000-000000000000}16263--- 534500x800000000000000088076308Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.949{ec28c72e-927f-62e1-a844-726b73550000}17258/usr/bin/base64root 154100x800000000000000088076307Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.947{ec28c72e-927f-62e1-a844-726b73550000}17258/usr/bin/base64-----base64 -d/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-927f-62e1-6832-625a24560000}17255/bin/dashshroot 154100x800000000000000088076303Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-27 19:31:11.946{ec28c72e-927f-62e1-6832-625a24560000}17255/bin/dash-----sh -c cat /tmp/encoded.dat | base64 -d > /tmp/art.sh; chmod +x /tmp/art.sh; /tmp/art.sh/tmproot{ec28c72e-0000-0000-0000-000000000000}0701no level-{ec28c72e-6e44-62e1-bd1d-3e96fa550000}16263/opt/microsoft/powershell/7/pwshpwshroot