23542300x80000000000000002140940Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:00.961{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002140941Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:03.357{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34164-false10.0.1.12-8000- 354300x80000000000000002140942Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:08.455{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34166-false10.0.1.12-8000- 354300x80000000000000002140943Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:14.407{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34168-false10.0.1.12-8000- 354300x80000000000000002140944Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:19.477{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34170-false10.0.1.12-8000- 23542300x80000000000000002140945Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:22.901{ec230001-670f-6262-80a2-6ab686550000}2160ubuntu/bin/nano/home/ubuntu/./.orchshred.sh.swp--- 534500x80000000000000002140946Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:22.902{ec230001-670f-6262-80a2-6ab686550000}2160/bin/nanoubuntu 154100x80000000000000002140947Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:25.049{ec230001-69bd-6262-e8a6-50d2b5550000}2177/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002140948Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:25.052{ec230001-69bd-6262-e8a6-50d2b5550000}2177/bin/lsubuntu 354300x80000000000000002140949Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:25.366{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34172-false10.0.1.12-8000- 23542300x80000000000000002140950Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:31.005{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002140951Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:31.289{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34174-false10.0.1.12-8000- 534500x80000000000000002140952Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:32.070{00000000-0000-0000-0000-000000000000}2178<unknown process>ubuntu 534500x80000000000000002140953Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:32.071{00000000-0000-0000-0000-000000000000}2179<unknown process>ubuntu 23542300x80000000000000002140954Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:32.072{ec230001-643a-6262-08d4-9f8d0f560000}1965ubuntu/bin/bash/tmp/sh-thd.kxPNzd--- 154100x80000000000000002140955Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:32.834{ec230001-69c4-6262-d069-e6febb550000}2180/bin/cat-----cat orchshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002140956Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:32.835{ec230001-69c4-6262-d069-e6febb550000}2180/bin/catubuntu 154100x80000000000000002140957Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:33.693{ec230001-69c5-6262-6814-304221560000}2181/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002140958Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:33.704{ec230001-69c5-6262-6814-304221560000}2181/bin/psroot 354300x80000000000000002140959Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:36.454{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34176-false10.0.1.12-8000- 354300x80000000000000002140960Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:42.332{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34178-false10.0.1.12-8000- 534500x80000000000000002140961Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:44.212{00000000-0000-0000-0000-000000000000}2182<unknown process>ubuntu 23542300x80000000000000002140963Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:44.213{ec230001-643a-6262-08d4-9f8d0f560000}1965ubuntu/bin/bash/tmp/sh-thd.N4Ib7O--- 534500x80000000000000002140962Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:44.213{ec230001-60ec-6262-c89a-4e13d6550000}2183-ubuntu 534500x80000000000000002140964Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:45.943{00000000-0000-0000-0000-000000000000}2184<unknown process>ubuntu 23542300x80000000000000002140966Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:45.945{ec230001-643a-6262-08d4-9f8d0f560000}1965ubuntu/bin/bash/tmp/sh-thd.A96ynv--- 534500x80000000000000002140965Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:45.945{00000000-0000-0000-0000-000000000000}2185<unknown process>ubuntu 354300x80000000000000002140967Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:46.337{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37164-false10.0.1.12-8089- 154100x80000000000000002140968Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:46.459{ec230001-69d2-6262-d0f9-6d8e30560000}2186/bin/cat-----cat orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002140969Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:46.461{ec230001-69d2-6262-d0f9-6d8e30560000}2186/bin/catubuntu 354300x80000000000000002140970Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:47.402{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34182-false10.0.1.12-8000- 534500x80000000000000002140971Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:51.625{00000000-0000-0000-0000-000000000000}2187<unknown process>ubuntu 23542300x80000000000000002140973Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:51.627{ec230001-643a-6262-08d4-9f8d0f560000}1965ubuntu/bin/bash/tmp/sh-thd.fxve9q--- 534500x80000000000000002140972Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:51.627{00000000-0000-0000-0000-000000000000}2188<unknown process>ubuntu 154100x80000000000000002140974Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:52.071{ec230001-69d8-6262-e061-b20406560000}2189/bin/chmod-----chmod 777 orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002140975Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:52.072{ec230001-69d8-6262-e061-b20406560000}2189/bin/chmodubuntu 354300x80000000000000002140976Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:53.279{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34184-false10.0.1.12-8000- 354300x80000000000000002140977Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:39:58.474{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34186-false10.0.1.12-8000- 23542300x80000000000000002140978Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:01.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002140979Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:04.409{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34188-false10.0.1.12-8000- 354300x80000000000000002140980Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:10.345{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34190-false10.0.1.12-8000- 354300x80000000000000002140981Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:16.327{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34192-false10.0.1.12-8000- 354300x80000000000000002140982Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:21.349{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34194-false10.0.1.12-8000- 354300x80000000000000002140983Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:26.484{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34196-false10.0.1.12-8000- 23542300x80000000000000002140984Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:31.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002140985Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:32.292{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34198-false10.0.1.12-8000- 154100x80000000000000002140986Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:34.764{ec230001-6a02-6262-6844-7b5be3550000}2190/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002140987Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:34.775{ec230001-6a02-6262-6844-7b5be3550000}2190/bin/psroot 354300x80000000000000002140988Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:37.349{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34200-false10.0.1.12-8000- 354300x80000000000000002140989Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:43.322{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34202-false10.0.1.12-8000- 354300x80000000000000002140990Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:46.341{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37188-false10.0.1.12-8089- 354300x80000000000000002140991Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:49.246{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34206-false10.0.1.12-8000- 354300x80000000000000002140992Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:54.350{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34208-false10.0.1.12-8000- 354300x80000000000000002140993Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:40:59.397{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34210-false10.0.1.12-8000- 23542300x80000000000000002140994Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:01.013{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002140995Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:04.464{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34212-false10.0.1.12-8000- 354300x80000000000000002140996Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:10.245{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34214-false10.0.1.12-8000- 354300x80000000000000002140997Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:15.269{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34216-false10.0.1.12-8000- 354300x80000000000000002140998Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:20.321{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34218-false10.0.1.12-8000- 534500x80000000000000002140999Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:22.304{00000000-0000-0000-0000-000000000000}1981<unknown process>root 354300x80000000000000002141000Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:26.256{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34220-false10.0.1.12-8000- 154100x80000000000000002141001Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:28.541{ec230001-6a38-6262-e8c6-00f110560000}2191/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002141002Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:28.544{ec230001-6a38-6262-e8c6-00f110560000}2191/bin/lsubuntu 23542300x80000000000000002141003Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.006{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141004Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.257{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34222-false10.0.1.12-8000- 534500x80000000000000002141005Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.312{00000000-0000-0000-0000-000000000000}2192<unknown process>ubuntu 23542300x80000000000000002141007Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.313{ec230001-643a-6262-08d4-9f8d0f560000}1965ubuntu/bin/bash/tmp/sh-thd.M5POWK--- 534500x80000000000000002141006Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.313{ec230001-60ec-6262-c89a-4e13d6550000}2193-ubuntu 154100x80000000000000002141008Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:31.995{ec230001-6a3b-6262-7003-9c9621560000}2194/bin/rm-----rm orchshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 154100x80000000000000002141009Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:35.776{ec230001-6a3f-6262-6854-fb39ee550000}2195/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141010Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:35.786{ec230001-6a3f-6262-6854-fb39ee550000}2195/bin/psroot 354300x80000000000000002141011Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:36.401{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34224-false10.0.1.12-8000- 23542300x80000000000000002141012Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:37.089{ec230001-6a3b-6262-7003-9c9621560000}2194ubuntu/bin/rm/home/ubuntu/orchshred.sh--- 534500x80000000000000002141013Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:37.090{ec230001-6a3b-6262-7003-9c9621560000}2194/bin/rmubuntu 154100x80000000000000002141014Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:39.409{ec230001-6a43-6262-e8f6-88f188550000}2196/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002141015Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:39.411{ec230001-6a43-6262-e8f6-88f188550000}2196/bin/lsubuntu 154100x80000000000000002141016Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:41.409{ec230001-6a45-6262-08b6-5f9942560000}2197/usr/bin/clear-----clear/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002141017Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:41.410{ec230001-6a45-6262-08b6-5f9942560000}2197/usr/bin/clearubuntu 354300x80000000000000002141018Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:41.476{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34226-false10.0.1.12-8000- 154100x80000000000000002141019Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:42.446{ec230001-6a46-6262-e896-c44c4c560000}2198/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002141020Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:42.449{ec230001-6a46-6262-e896-c44c4c560000}2198/bin/lsubuntu 354300x80000000000000002141021Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:46.345{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37212-false10.0.1.12-8089- 354300x80000000000000002141022Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:47.310{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34230-false10.0.1.12-8000- 534500x80000000000000002141023Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:50.668{ec230001-60ec-6262-c89a-4e13d6550000}462/lib/systemd/systemd-journaldroot 354300x80000000000000002141024Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:52.416{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34232-false10.0.1.12-8000- 354300x80000000000000002141025Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:41:58.306{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34234-false10.0.1.12-8000- 23542300x80000000000000002141026Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:01.004{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141027Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:03.468{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34236-false10.0.1.12-8000- 354300x80000000000000002141028Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:09.257{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34238-false10.0.1.12-8000- 354300x80000000000000002141029Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:14.267{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34240-false10.0.1.12-8000- 354300x80000000000000002141030Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:19.287{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34242-false10.0.1.12-8000- 354300x80000000000000002141031Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:24.463{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34244-false10.0.1.12-8000- 354300x80000000000000002141032Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:30.323{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34246-false10.0.1.12-8000- 23542300x80000000000000002141033Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:31.006{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141034Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:36.237{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34248-false10.0.1.12-8000- 154100x80000000000000002141035Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:36.817{ec230001-6a7c-6262-68c4-156cc4550000}2200/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141036Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:36.827{ec230001-6a7c-6262-68c4-156cc4550000}2200/bin/psroot 354300x80000000000000002141037Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:41.252{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34250-false10.0.1.12-8000- 354300x80000000000000002141038Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:46.314{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34252-false10.0.1.12-8000- 354300x80000000000000002141039Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:46.349{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37238-false10.0.1.12-8089- 354300x80000000000000002141040Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:51.358{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34256-false10.0.1.12-8000- 354300x80000000000000002141041Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:42:56.449{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34258-false10.0.1.12-8000- 23542300x80000000000000002141042Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:00.983{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141043Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:02.294{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34260-false10.0.1.12-8000- 354300x80000000000000002141044Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:07.340{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34262-false10.0.1.12-8000- 354300x80000000000000002141045Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:13.286{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34264-false10.0.1.12-8000- 354300x80000000000000002141046Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:18.422{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34266-false10.0.1.12-8000- 354300x80000000000000002141047Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:24.311{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34268-false10.0.1.12-8000- 354300x80000000000000002141048Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:29.467{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34270-false10.0.1.12-8000- 23542300x80000000000000002141049Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:30.891{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141050Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:35.416{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34272-false10.0.1.12-8000- 154100x80000000000000002141051Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:37.828{ec230001-6ab9-6262-6814-395318560000}2201/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141052Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:37.838{ec230001-6ab9-6262-6814-395318560000}2201/bin/psroot 354300x80000000000000002141053Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:41.392{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34274-false10.0.1.12-8000- 354300x80000000000000002141054Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:46.354{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37260-false10.0.1.12-8089- 354300x80000000000000002141055Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:47.242{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34278-false10.0.1.12-8000- 354300x80000000000000002141056Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:52.270{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34280-false10.0.1.12-8000- 354300x80000000000000002141057Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:43:57.476{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34282-false10.0.1.12-8000- 23542300x80000000000000002141058Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:01.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141059Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:03.332{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34284-false10.0.1.12-8000- 354300x80000000000000002141060Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:09.255{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34286-false10.0.1.12-8000- 354300x80000000000000002141061Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:14.388{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34288-false10.0.1.12-8000- 354300x80000000000000002141062Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:20.274{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34290-false10.0.1.12-8000- 354300x80000000000000002141063Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:25.294{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34292-false10.0.1.12-8000- 23542300x80000000000000002141064Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:31.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141065Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:31.281{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34294-false10.0.1.12-8000- 354300x80000000000000002141066Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:36.286{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34296-false10.0.1.12-8000- 154100x80000000000000002141067Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:38.859{ec230001-6af6-6262-6854-57018b550000}2202/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141068Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:38.871{ec230001-6af6-6262-6854-57018b550000}2202/bin/psroot 354300x80000000000000002141069Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:41.333{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34298-false10.0.1.12-8000- 354300x80000000000000002141070Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:46.335{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34300-false10.0.1.12-8000- 354300x80000000000000002141071Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:46.358{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37286-false10.0.1.12-8089- 354300x80000000000000002141072Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:51.407{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34304-false10.0.1.12-8000- 354300x80000000000000002141073Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:44:57.266{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34306-false10.0.1.12-8000- 23542300x80000000000000002141074Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:01.008{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141075Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:02.373{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34308-false10.0.1.12-8000- 354300x80000000000000002141076Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:08.249{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34310-false10.0.1.12-8000- 354300x80000000000000002141077Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:14.241{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34312-false10.0.1.12-8000- 354300x80000000000000002141078Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:19.359{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34314-false10.0.1.12-8000- 354300x80000000000000002141079Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:25.321{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34316-false10.0.1.12-8000- 354300x80000000000000002141080Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:30.427{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34318-false10.0.1.12-8000- 23542300x80000000000000002141081Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:31.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141082Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:35.428{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34320-false10.0.1.12-8000- 154100x80000000000000002141083Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:39.873{ec230001-6b33-6262-6864-fec4d0550000}2203/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141084Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:39.887{ec230001-6b33-6262-6864-fec4d0550000}2203/bin/psroot 354300x80000000000000002141085Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:41.345{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34322-false10.0.1.12-8000- 354300x80000000000000002141086Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:46.362{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37308-false10.0.1.12-8089- 354300x80000000000000002141087Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:46.465{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34326-false10.0.1.12-8000- 354300x80000000000000002141088Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:52.276{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34328-false10.0.1.12-8000- 354300x80000000000000002141089Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:45:57.343{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34330-false10.0.1.12-8000- 23542300x80000000000000002141090Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:01.008{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141091Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:02.429{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34332-false10.0.1.12-8000- 354300x80000000000000002141092Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:07.472{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34334-false10.0.1.12-8000- 354300x80000000000000002141093Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:13.335{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34336-false10.0.1.12-8000- 354300x80000000000000002141094Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:18.461{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34338-false10.0.1.12-8000- 354300x80000000000000002141095Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:23.476{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34340-false10.0.1.12-8000- 534500x80000000000000002141097Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:26.995{ec230001-6b62-6262-0000-000000000000}2204-ubuntu 534500x80000000000000002141096Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:26.995{00000000-0000-0000-0000-000000000000}2205<unknown process>ubuntu 354300x80000000000000002141098Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:29.424{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34342-false10.0.1.12-8000- 23542300x80000000000000002141099Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:31.007{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x80000000000000002141100Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.235{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudo-----sudo ./orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141101Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.238{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudoubuntuudptruefalse127.0.0.1-52605-false127.0.0.53-53- 354300x80000000000000002141104Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.239{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-59806-false10.0.0.2-53- 354300x80000000000000002141103Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.239{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-45196-false10.0.0.2-53- 354300x80000000000000002141102Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.239{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudpfalsefalse0.0.0.0-0-false127.0.0.53-53- 354300x80000000000000002141106Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.241{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-52605- 354300x80000000000000002141105Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.241{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudpfalsefalse10.0.0.2-53-false10.0.1.20-45196- 354300x80000000000000002141107Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.242{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudoubuntuudpfalsefalse127.0.0.53-53-false127.0.0.1-52605- 354300x80000000000000002141108Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.245{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudpfalsefalse10.0.0.2-53-false10.0.1.20-59806- 354300x80000000000000002141110Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.246{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-46182- 354300x80000000000000002141109Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.246{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudoubuntuudptruefalse127.0.0.1-46182-false127.0.0.53-53- 154100x80000000000000002141111Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.250{ec230001-6b68-6262-68a2-c306e5550000}2207/bin/dash-----sh ./orshred.sh/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudosudoubuntu 534500x80000000000000002141113Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.252{ec230001-6b68-6262-088e-45e829560000}2206/usr/bin/sudoroot 534500x80000000000000002141112Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:32.252{ec230001-6b68-6262-68a2-c306e5550000}2207/bin/dashroot 354300x80000000000000002141114Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:35.314{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34344-false10.0.1.12-8000- 154100x80000000000000002141115Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:40.054{ec230001-6b70-6262-d099-95d2b8550000}2208/bin/cat-----cat orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 534500x80000000000000002141116Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:40.055{ec230001-6b70-6262-d099-95d2b8550000}2208/bin/catubuntu 154100x80000000000000002141117Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:40.901{ec230001-6b70-6262-6884-3fdd46560000}2209/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141118Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:40.911{ec230001-6b70-6262-6884-3fdd46560000}2209/bin/psroot 354300x80000000000000002141119Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:41.308{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34346-false10.0.1.12-8000- 154100x80000000000000002141120Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:45.949{ec230001-6b75-6262-80d2-35c43a560000}2210/bin/nano-----nano orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141121Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:46.310{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34348-false10.0.1.12-8000- 354300x80000000000000002141122Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:46.366{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37334-false10.0.1.12-8089- 23542300x80000000000000002141123Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:49.042{ec230001-6b75-6262-80d2-35c43a560000}2210ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 534500x80000000000000002141124Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:50.912{ec230001-60ec-6262-c89a-4e13d6550000}462/lib/systemd/systemd-journaldroot 23542300x80000000000000002141125Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:52.136{ec230001-6b75-6262-80d2-35c43a560000}2210ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 534500x80000000000000002141126Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:52.137{ec230001-6b75-6262-80d2-35c43a560000}2210/bin/nanoubuntu 354300x80000000000000002141127Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:52.245{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34352-false10.0.1.12-8000- 154100x80000000000000002141128Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.926{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudo-----sudo ./orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141131Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.930{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-57065-false10.0.0.2-53- 354300x80000000000000002141130Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.930{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-38908-false10.0.0.2-53- 354300x80000000000000002141129Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.930{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudoubuntuudptruefalse127.0.0.1-51847-false127.0.0.53-53- 354300x80000000000000002141135Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.931{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-43361- 354300x80000000000000002141134Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.931{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudoubuntuudptruefalse127.0.0.1-43361-false127.0.0.53-53- 354300x80000000000000002141133Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.931{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudoubuntuudpfalsefalse127.0.0.53-53-false127.0.0.1-43361- 354300x80000000000000002141132Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.931{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-51847- 154100x80000000000000002141136Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.934{ec230001-6b7e-6262-68e2-2d59bc550000}2213/bin/dash-----sh ./orshred.sh/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudosudoubuntu 154100x80000000000000002141137Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.935{ec230001-6b7e-6262-7012-c6e3d5550000}2214/usr/bin/crontab-----crontab -l/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6b7e-6262-68e2-2d59bc550000}2213/bin/dashshroot 534500x80000000000000002141139Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.938{ec230001-6b7e-6262-68e2-2d59bc550000}2213/bin/dashroot 534500x80000000000000002141138Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.938{ec230001-6b7e-6262-7012-c6e3d5550000}2214/usr/bin/crontabroot 534500x80000000000000002141140Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:54.939{ec230001-6b7e-6262-082e-81b5d3550000}2212/usr/bin/sudoroot 354300x80000000000000002141141Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:46:57.485{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34354-false10.0.1.12-8000- 23542300x80000000000000002141142Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:01.004{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141143Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:03.428{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34356-false10.0.1.12-8000- 154100x80000000000000002141144Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:03.494{ec230001-6b87-6262-80e2-d7f383550000}2215/bin/nano-----nano orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 23542300x80000000000000002141145Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:07.121{ec230001-6b87-6262-80e2-d7f383550000}2215ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 354300x80000000000000002141146Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:09.317{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34358-false10.0.1.12-8000- 354300x80000000000000002141147Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:14.366{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34360-false10.0.1.12-8000- 23542300x80000000000000002141148Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:20.091{ec230001-6b87-6262-80e2-d7f383550000}2215ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 534500x80000000000000002141149Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:20.092{ec230001-6b87-6262-80e2-d7f383550000}2215/bin/nanoubuntu 354300x80000000000000002141150Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:20.253{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34362-false10.0.1.12-8000- 534500x80000000000000002141151Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:25.344{00000000-0000-0000-0000-000000000000}2218<unknown process>ubuntu 534500x80000000000000002141153Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:25.345{00000000-0000-0000-0000-000000000000}2217<unknown process>ubuntu 534500x80000000000000002141152Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:25.345{00000000-0000-0000-0000-000000000000}2219<unknown process>ubuntu 354300x80000000000000002141154Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:25.415{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34364-false10.0.1.12-8000- 154100x80000000000000002141155Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.653{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudo-----sudo ./orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141162Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-37466- 354300x80000000000000002141161Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudoubuntuudptruefalse127.0.0.1-37466-false127.0.0.53-53- 354300x80000000000000002141160Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudoubuntuudpfalsefalse127.0.0.53-53-false127.0.0.1-37466- 354300x80000000000000002141159Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-36010- 354300x80000000000000002141158Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-52621-false10.0.0.2-53- 354300x80000000000000002141157Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-42217-false10.0.0.2-53- 354300x80000000000000002141156Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.657{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudoubuntuudptruefalse127.0.0.1-36010-false127.0.0.53-53- 154100x80000000000000002141163Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.660{ec230001-6ba0-6262-68b2-35a402560000}2221/bin/dash-----sh ./orshred.sh/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudosudoubuntu 154100x80000000000000002141164Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.661{ec230001-6ba0-6262-089e-89b85d550000}2222/usr/bin/sudo-----sudo echo echo 'you are infected by wsol.sh'/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6ba0-6262-68b2-35a402560000}2221/bin/dashshroot 354300x80000000000000002141168Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.664{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-50085- 354300x80000000000000002141167Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.664{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-43125-false10.0.0.2-53- 354300x80000000000000002141166Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.664{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-41538-false10.0.0.2-53- 354300x80000000000000002141165Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.664{ec230001-6ba0-6262-089e-89b85d550000}2222/usr/bin/sudorootudptruefalse127.0.0.1-50085-false127.0.0.53-53- 354300x80000000000000002141170Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.665{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-44708- 354300x80000000000000002141169Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.665{ec230001-6ba0-6262-089e-89b85d550000}2222/usr/bin/sudorootudptruefalse127.0.0.1-44708-false127.0.0.53-53- 154100x80000000000000002141171Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.668{ec230001-6ba0-6262-d8ad-ae533b560000}2223/bin/echo-----echo echo 'you are infected by wsol.sh'/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6ba0-6262-089e-89b85d550000}2222/usr/bin/sudosudoroot 534500x80000000000000002141173Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.670{ec230001-6ba0-6262-089e-89b85d550000}2222/usr/bin/sudoroot 534500x80000000000000002141172Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.670{ec230001-6ba0-6262-d8ad-ae533b560000}2223/bin/echoroot 154100x80000000000000002141174Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.671{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudo-----sudo crontab -l/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6ba0-6262-68b2-35a402560000}2221/bin/dashshroot 354300x80000000000000002141175Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.673{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudorootudptruefalse127.0.0.1-36476-false127.0.0.53-53- 354300x80000000000000002141181Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-36168- 354300x80000000000000002141180Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudorootudptruefalse127.0.0.1-36168-false127.0.0.53-53- 354300x80000000000000002141179Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudorootudpfalsefalse127.0.0.53-53-false127.0.0.1-36168- 354300x80000000000000002141178Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-36476- 354300x80000000000000002141177Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-55248-false10.0.0.2-53- 354300x80000000000000002141176Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.674{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-42397-false10.0.0.2-53- 154100x80000000000000002141182Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.677{ec230001-6ba0-6262-70d2-f9e680550000}2225/usr/bin/crontab-----crontab -l/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudosudoroot 534500x80000000000000002141185Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.679{ec230001-6ba0-6262-68b2-35a402560000}2221/bin/dashroot 534500x80000000000000002141184Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.679{ec230001-6ba0-6262-08ae-8ad2fa550000}2224/usr/bin/sudoroot 534500x80000000000000002141183Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.679{ec230001-6ba0-6262-70d2-f9e680550000}2225/usr/bin/crontabroot 534500x80000000000000002141186Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:28.680{ec230001-6ba0-6262-08de-e715af550000}2220/usr/bin/sudoroot 23542300x80000000000000002141187Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:31.004{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141188Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:31.325{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34366-false10.0.1.12-8000- 154100x80000000000000002141189Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:35.483{ec230001-6ba7-6262-80d2-cd29c6550000}2226/bin/nano-----nano orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141190Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:36.389{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34368-false10.0.1.12-8000- 154100x80000000000000002141191Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:41.912{ec230001-6bad-6262-68e4-f00e44560000}2227/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141192Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:41.923{ec230001-6bad-6262-68e4-f00e44560000}2227/bin/psroot 354300x80000000000000002141193Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:42.254{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34370-false10.0.1.12-8000- 23542300x80000000000000002141194Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:43.279{ec230001-6ba7-6262-80d2-cd29c6550000}2226ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 354300x80000000000000002141195Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:46.371{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37356-false10.0.1.12-8089- 23542300x80000000000000002141196Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:46.383{ec230001-6ba7-6262-80d2-cd29c6550000}2226ubuntu/bin/nano/home/ubuntu/./.orshred.sh.swp--- 534500x80000000000000002141197Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:46.384{ec230001-6ba7-6262-80d2-cd29c6550000}2226/bin/nanoubuntu 354300x80000000000000002141198Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:47.277{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34374-false10.0.1.12-8000- 154100x80000000000000002141199Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.487{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudo-----sudo ./orshred.sh/home/ubuntuubuntu{ec230001-643b-6262-e803-000000000000}10001no level-{ec230001-643a-6262-08d4-9f8d0f560000}1965/bin/bash-bashubuntu 354300x80000000000000002141202Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.492{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-49727-false10.0.0.2-53- 354300x80000000000000002141201Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.492{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-38020-false10.0.0.2-53- 354300x80000000000000002141200Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.492{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudoubuntuudptruefalse127.0.0.1-54573-false127.0.0.53-53- 354300x80000000000000002141204Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.506{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudoubuntuudpfalsefalse127.0.0.53-53-false127.0.0.1-54573- 354300x80000000000000002141203Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.506{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-54573- 354300x80000000000000002141206Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.509{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-43213- 354300x80000000000000002141205Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.509{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudoubuntuudptruefalse127.0.0.1-43213-false127.0.0.53-53- 154100x80000000000000002141207Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.512{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dash-----sh ./orshred.sh/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudosudoubuntu 154100x80000000000000002141208Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.513{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudo-----sudo echo echo 'you are infected by wsol.sh'/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dashshroot 354300x80000000000000002141211Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.517{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-58161-false10.0.0.2-53- 354300x80000000000000002141210Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.517{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-48822-false10.0.0.2-53- 354300x80000000000000002141209Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.517{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudorootudptruefalse127.0.0.1-60493-false127.0.0.53-53- 354300x80000000000000002141215Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.518{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-44915- 354300x80000000000000002141214Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.518{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudorootudptruefalse127.0.0.1-44915-false127.0.0.53-53- 354300x80000000000000002141213Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.518{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudorootudpfalsefalse127.0.0.53-53-false127.0.0.1-60493- 354300x80000000000000002141212Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.518{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-60493- 154100x80000000000000002141216Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.521{ec230001-6bb4-6262-d80d-4eae83550000}2231/bin/echo-----echo echo 'you are infected by wsol.sh'/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudosudoroot 534500x80000000000000002141217Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.522{ec230001-6bb4-6262-d80d-4eae83550000}2231/bin/echoroot 154100x80000000000000002141219Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.523{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudo-----sudo crontab -l/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dashshroot 534500x80000000000000002141218Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.523{ec230001-6bb4-6262-08ae-734f51560000}2230/usr/bin/sudoroot 354300x80000000000000002141222Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.526{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-34510-false10.0.0.2-53- 354300x80000000000000002141221Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.526{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-40574-false10.0.0.2-53- 354300x80000000000000002141220Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.526{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudorootudptruefalse127.0.0.1-41310-false127.0.0.53-53- 354300x80000000000000002141226Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.527{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-38988- 354300x80000000000000002141225Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.527{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudorootudptruefalse127.0.0.1-38988-false127.0.0.53-53- 354300x80000000000000002141224Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.527{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudorootudpfalsefalse127.0.0.53-53-false127.0.0.1-38988- 354300x80000000000000002141223Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.527{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-41310- 154100x80000000000000002141227Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.530{ec230001-6bb4-6262-7032-dc02d1550000}2233/usr/bin/crontab-----crontab -l/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudosudoroot 154100x80000000000000002141230Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.533{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudo-----sudo echo 58 17 * * * /bin/bash /var/log/wsol.sh & disown/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dashshroot 534500x80000000000000002141229Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.533{ec230001-6bb4-6262-088e-c1eb92550000}2232/usr/bin/sudoroot 534500x80000000000000002141228Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.533{ec230001-6bb4-6262-7032-dc02d1550000}2233/usr/bin/crontabroot 354300x80000000000000002141235Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.537{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudorootudpfalsefalse127.0.0.53-53-false127.0.0.1-60271- 354300x80000000000000002141234Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.537{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-60271- 354300x80000000000000002141233Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.537{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-38586-false10.0.0.2-53- 354300x80000000000000002141232Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.537{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-46004-false10.0.0.2-53- 354300x80000000000000002141231Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.537{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudorootudptruefalse127.0.0.1-60271-false127.0.0.53-53- 354300x80000000000000002141237Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.538{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-53587- 354300x80000000000000002141236Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.538{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudorootudptruefalse127.0.0.1-53587-false127.0.0.53-53- 154100x80000000000000002141238Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.540{ec230001-6bb4-6262-d8bd-aa5486550000}2235/bin/echo-----echo 58 17 * * * /bin/bash /var/log/wsol.sh & disown/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudosudoroot 534500x80000000000000002141239Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.541{ec230001-6bb4-6262-d8bd-aa5486550000}2235/bin/echoroot 154100x80000000000000002141241Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.542{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudo-----sudo crontab /var/log/tasks/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dashshroot 534500x80000000000000002141240Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.542{ec230001-6bb4-6262-088e-7a0dbd550000}2234/usr/bin/sudoroot 354300x80000000000000002141246Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.546{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudorootudpfalsefalse127.0.0.53-53-false127.0.0.1-51380- 354300x80000000000000002141245Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.546{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-51380- 354300x80000000000000002141244Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.546{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-41592-false10.0.0.2-53- 354300x80000000000000002141243Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.546{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-58273-false10.0.0.2-53- 354300x80000000000000002141242Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.546{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudorootudptruefalse127.0.0.1-51380-false127.0.0.53-53- 354300x80000000000000002141248Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.547{ec230001-60ee-6262-c037-a3c6b5550000}744/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-50516- 354300x80000000000000002141247Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.547{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudorootudptruefalse127.0.0.1-50516-false127.0.0.53-53- 154100x80000000000000002141249Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.552{ec230001-6bb4-6262-70b2-0ef088550000}2237/usr/bin/crontab-----crontab /var/log/tasks/home/ubunturoot{ec230001-0000-0000-0000-000000000000}01no level-{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudosudoroot 534500x80000000000000002141250Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.556{ec230001-6bb4-6262-70b2-0ef088550000}2237/usr/bin/crontabroot 534500x80000000000000002141251Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.557{ec230001-6bb4-6262-08be-c599bb550000}2236/usr/bin/sudoroot 534500x80000000000000002141253Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.558{ec230001-6bb4-6262-081e-ae9e9a550000}2228/usr/bin/sudoroot 534500x80000000000000002141252Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:48.558{ec230001-6bb4-6262-6882-19a9db550000}2229/bin/dashroot 354300x80000000000000002141254Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:53.242{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34376-false10.0.1.12-8000- 354300x80000000000000002141255Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:47:58.392{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34378-false10.0.1.12-8000- 23542300x80000000000000002141256Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:00.959{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141257Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:03.442{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34380-false10.0.1.12-8000- 354300x80000000000000002141258Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:09.246{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34382-false10.0.1.12-8000- 354300x80000000000000002141259Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:14.347{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34384-false10.0.1.12-8000- 354300x80000000000000002141260Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:19.363{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34386-false10.0.1.12-8000- 354300x80000000000000002141261Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:25.358{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34388-false10.0.1.12-8000- 23542300x80000000000000002141262Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:31.006{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002141263Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:31.348{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34390-false10.0.1.12-8000- 354300x80000000000000002141264Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:37.264{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34392-false10.0.1.12-8000- 354300x80000000000000002141265Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:42.310{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34394-false10.0.1.12-8000- 154100x80000000000000002141266Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:42.960{ec230001-6bea-6262-68a4-5616e6550000}2238/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002141267Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:42.971{ec230001-6bea-6262-68a4-5616e6550000}2238/bin/psroot 354300x80000000000000002141268Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:46.376{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-37380-false10.0.1.12-8089- 354300x80000000000000002141269Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:47.364{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34398-false10.0.1.12-8000- 354300x80000000000000002141270Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:52.401{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34400-false10.0.1.12-8000- 354300x80000000000000002141271Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 08:48:57.433{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34402-false10.0.1.12-8000-