11/24/2021 01:51:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299606 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64454 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:42 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299605 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64454 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:51:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299608 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299607 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299610 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64455 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:47 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299609 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64455 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:51:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299611 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299613 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64456 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299612 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64456 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:51:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299615 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64457 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:51:58 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299614 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64457 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299617 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64458 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299616 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64458 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299619 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299618 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299621 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64459 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:09 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299620 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64459 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299622 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299624 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64460 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:15 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299623 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64460 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299626 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64461 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:20 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299625 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64461 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299628 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64462 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299627 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64462 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299630 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64463 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:25 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299629 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64463 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966790 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xe08 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:52:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966789 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe08 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299632 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299631 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966792 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1600 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:52:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966791 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1600 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299633 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 444 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 123 Destination Address: 168.61.215.74 Destination Port: 123 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966794 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xbf4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:52:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966793 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbf4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299638 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1c34 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:52:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299637 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c34 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299636 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299635 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64464 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299634 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64464 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299641 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfb4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299640 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1fa0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:52:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299639 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1fa0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299644 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1d44 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:52:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299643 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d44 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299642 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xfb4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:52:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299646 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ca0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:52:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299645 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ca0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299650 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ae0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:52:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299649 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299648 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ff4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:52:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299647 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ff4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966797 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xe14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966796 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16d4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:52:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966795 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16d4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966800 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11ac Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966799 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11ac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299658 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974840C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299657 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1974840C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 64466 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299656 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974840C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299655 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 64466 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299654 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 64466 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299653 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 64466 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299652 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64465 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299651 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64465 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966798 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xe14 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:52:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966802 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc58 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:52:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966801 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc58 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:52:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299660 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64467 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299659 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64467 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299662 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299661 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299664 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64468 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:48 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299663 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64468 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299665 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299671 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64470 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299670 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64470 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=1513299669 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-128 Error Code: 0x0 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299668 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 59881 Destination Address: 10.0.1.14 Destination Port: 49672 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299667 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64469 Destination Address: 10.0.1.15 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299666 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 64469 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=3966804 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D93915 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: WIN-DC-128 Source Network Address: 10.0.1.14 Source Port: 64469 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:52:53 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=3966803 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D93915 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/24/2021 01:52:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299673 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64471 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:52:59 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299672 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64471 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299675 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64472 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299674 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64472 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:05 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=3966805 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D93915 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299677 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299676 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299679 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64473 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299678 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64473 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299680 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299682 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64474 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299681 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64474 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299684 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64475 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299683 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64475 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299686 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64476 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299685 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64476 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966807 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16b4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:53:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966806 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16b4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299688 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299687 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966810 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966809 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xfe4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:53:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966808 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfe4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966811 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x244 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:53:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299690 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64477 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299689 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64477 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299693 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1614 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299692 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1614 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299691 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299696 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1998 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299695 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1f58 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:53:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299694 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f58 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299701 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1c14 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:53:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299700 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299699 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64478 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299698 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64478 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299697 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1998 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:53:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299704 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1828 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299703 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b8c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:53:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299702 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b8c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299707 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b14 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:53:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299706 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b14 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299705 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1828 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966814 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1630 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966813 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xddc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966812 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xddc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299713 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64480 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299712 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64480 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299711 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 64480 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299710 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64479 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299709 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64479 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:53:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299708 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 64479 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299719 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974C665 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299718 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1974C665 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 64481 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299717 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974C665 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299716 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 64481 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299715 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 64481 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299714 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 64481 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966817 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966816 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966815 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1630 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:53:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299721 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64482 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299720 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64482 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966819 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17a0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:53:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966818 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17a0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:53:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299723 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64483 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:43 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299722 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64483 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299725 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299724 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299727 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64484 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:49 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299726 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64484 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:53:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299728 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299730 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64485 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:53:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299729 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64485 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299732 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64486 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:00 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299731 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64486 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1513299740 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974DF48 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: \ Access Request Information: Access Mask: 0x100080 Accesses: SYNCHRONIZE ReadAttributes Access Check Results: SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1513299739 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974DF48 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1513299738 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974DF48 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Share Information: Share Name: \\*\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299737 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1974DF48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {542EC13B-7827-C03E-14B0-B1B7ABBF1CDD} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299736 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974DF48 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299735 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299734 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64487 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:54:03 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299733 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 64487 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:54:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299744 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299743 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299742 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64488 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299741 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64488 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299747 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299746 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64489 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299745 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64489 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:14 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299748 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1974DF48 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:54:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299750 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64490 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:16 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299749 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64490 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299752 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64491 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:22 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299751 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64491 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299754 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64492 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299753 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64492 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966821 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1164 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:54:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966820 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1164 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299756 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299755 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966823 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1584 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:54:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966822 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1584 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299758 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64493 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299757 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64493 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966825 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1708 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:54:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966824 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1708 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299761 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e90 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:54:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299760 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299759 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e90 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299763 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xdbc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:54:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299762 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdbc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299769 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1d4c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299768 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299767 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64494 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299766 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64494 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299765 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1df4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:54:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299764 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1df4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299771 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1958 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:54:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299770 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1958 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299775 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b80 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:54:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299774 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b80 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299773 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x18cc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:54:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299772 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18cc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966829 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x278 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:54:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966828 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x278 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966827 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x398 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:54:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966826 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x398 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299781 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19751963 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299780 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x19751963 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 64495 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299779 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19751963 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299778 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 64495 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299777 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 64495 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299776 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 64495 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966832 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x5c4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966831 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x117c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:54:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966830 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x117c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:54:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966833 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x5c4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:54:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299783 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64496 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299782 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64496 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299785 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64497 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299784 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64497 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299787 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299786 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299790 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299789 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64498 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299788 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64498 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=3966835 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Identification New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B565 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: WIN-DC-128 Source Network Address: 10.0.1.14 Source Port: 64499 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=3966834 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B565 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=1513299795 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-128 Error Code: 0x0 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299794 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 59906 Destination Address: 10.0.1.14 Destination Port: 49672 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299793 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 63768 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299792 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64499 Destination Address: 10.0.1.15 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299791 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 64499 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:54:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299797 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64500 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:54:57 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299796 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64500 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299799 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64501 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299798 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64501 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299801 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299800 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=3966836 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9B565 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:55:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299803 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64502 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299802 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64502 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299804 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299806 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64503 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:13 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299805 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64503 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299808 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64504 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:18 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299807 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64504 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299812 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64506 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299811 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64506 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299810 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64505 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299809 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64505 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966838 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16cc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:55:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966837 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16cc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299814 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299813 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966840 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1580 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:55:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966839 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1580 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966842 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x153c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:55:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966841 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x153c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299816 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64507 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:29 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299815 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64507 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299819 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17ec Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:55:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299818 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299817 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17ec New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299821 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1f08 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:55:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299820 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f08 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299825 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:55:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299824 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299823 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1a24 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:55:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299822 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a24 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299828 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d7c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299827 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e6c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:55:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299826 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e6c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299833 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xef8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:55:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299832 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xef8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299831 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1d7c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:55:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299830 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64508 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299829 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64508 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966846 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10fc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:55:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966845 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966844 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x13e4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:55:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966843 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966848 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xdf4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966847 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdf4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299839 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x197566A6 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299838 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x197566A6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 64509 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299837 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x197566A6 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299836 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 64509 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299835 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 64509 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:55:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299834 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 64509 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:55:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966850 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1308 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:55:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966849 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1308 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=3966854 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E65B Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4698 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=3966853 Keywords=Audit Success Message=A scheduled task was created. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E65B Task Information: Task Name: \evilTask Task Content: 2021-11-24T01:55:39 ATTACKRANGE\Administrator \evilTask 2021-11-24T00:00:00 true IgnoreNew true true true false false PT10M PT1H true false true true false false false PT72H 7 C:\Windows/system32/regsvr32.exe /u /n /s /i:evil.sct scrobj.dll S-1-5-18 LeastPrivilege 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=3966852 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E65B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: WIN-DC-128 Source Network Address: 10.0.1.14 Source Port: 64511 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=3966851 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E65B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299852 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Process Information: Process ID: 0x1568 Process Name: C:\Windows\System32\schtasks.exe Exit Status: 0x0 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=1513299851 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-128 Error Code: 0x0 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299850 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 59917 Destination Address: 10.0.1.14 Destination Port: 49672 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299849 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5480 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64511 Destination Address: 10.0.1.15 Destination Port: 49668 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299848 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5480 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64511 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299847 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5480 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64510 Destination Address: 10.0.1.15 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299846 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5480 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64510 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299845 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2360 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 59996 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299844 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2360 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 58948 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299843 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1056 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 58948 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299842 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1056 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 58948 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299841 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1056 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 58948 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299840 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1568 New Process Name: C:\Windows\System32\schtasks.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2d4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: Schtasks /S 10.0.1.15 /create /tn evilTask /tr "C:\Windows/system32/regsvr32.exe /u /n /s /i:evil.sct scrobj.dll" /ru system /sc once /st 00:00 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299854 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64512 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:40 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299853 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64512 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966859 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14e8 Process Name: C:\Windows\System32\regsvr32.exe Exit Status: 0x5 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=3966858 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E949 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966857 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14e8 New Process Name: C:\Windows\System32\regsvr32.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x454 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows/system32/regsvr32.exe /u /n /s /i:evil.sct scrobj.dll Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=3966856 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E949 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: WIN-DC-128 Source Network Address: 10.0.1.14 Source Port: 64514 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=3966855 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9E949 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299863 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64515 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299862 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64515 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299861 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Process Information: Process ID: 0x1940 Process Name: C:\Windows\System32\schtasks.exe Exit Status: 0x0 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=1513299860 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-128 Error Code: 0x0 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299859 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6464 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64514 Destination Address: 10.0.1.15 Destination Port: 49668 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299858 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6464 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64514 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299857 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6464 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64513 Destination Address: 10.0.1.15 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299856 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6464 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64513 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:45 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299855 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1940 New Process Name: C:\Windows\System32\schtasks.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2d4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: Schtasks /S 10.0.1.15 /run /tn evilTask Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:55:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299865 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:46 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299864 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299868 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299867 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64516 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:51 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299866 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64516 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:55:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299870 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64517 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:55:56 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299869 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64517 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299872 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64518 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:01 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299871 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64518 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=3966863 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9FB8C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4699 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Other Object Access Events OpCode=Info RecordNumber=3966862 Keywords=Audit Success Message=A scheduled task was deleted. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9FB8C Task Information: Task Name: \evilTask Task Content: 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=3966861 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9FB8C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: WIN-DC-128 Source Network Address: 10.0.1.14 Source Port: 64520 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V2 Key Length: 128 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=3966860 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x9D9FB8C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299880 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Process Information: Process ID: 0x1a90 Process Name: C:\Windows\System32\schtasks.exe Exit Status: 0x0 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4776 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Credential Validation OpCode=Info RecordNumber=1513299879 Keywords=Audit Success Message=The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Administrator Source Workstation: WIN-DC-128 Error Code: 0x0 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299878 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 59923 Destination Address: 10.0.1.14 Destination Port: 49672 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299877 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6800 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64520 Destination Address: 10.0.1.15 Destination Port: 49668 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299876 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6800 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64520 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299875 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6800 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64519 Destination Address: 10.0.1.15 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299874 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6800 Application Name: \device\harddiskvolume1\windows\system32\schtasks.exe Network Information: Source Address: 0.0.0.0 Source Port: 64519 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:04 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299873 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: Administrator Account Domain: ATTACKRANGE Logon ID: 0x809F9 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a90 New Process Name: C:\Windows\System32\schtasks.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2d4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: Schtasks /S 10.0.1.15 /delete /tn evilTask /F Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299884 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299883 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299882 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64521 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:06 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299881 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64521 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299915 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758E86 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299914 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758F74 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299913 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758FBC Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1513299912 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975903F Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1513299911 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975903F Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1513299910 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975903F Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299909 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1975903F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A3E2735-151A-ECCD-1DA0-720119BDCD48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299908 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975903F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299907 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299906 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64526 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299905 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 64526 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299904 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x19758FBC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A3E2735-151A-ECCD-1DA0-720119BDCD48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 64525 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299903 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758FBC Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299902 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.14 Source Port: 64525 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299901 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64525 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65789 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299900 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 64525 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299899 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x19758F74 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A3E2735-151A-ECCD-1DA0-720119BDCD48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299898 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758F74 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299897 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x19758E86 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A3E2735-151A-ECCD-1DA0-720119BDCD48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64524 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299896 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758E86 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299895 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x19758E63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7A3E2735-151A-ECCD-1DA0-720119BDCD48} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64523 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299894 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x19758E63 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299893 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64524 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299892 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64524 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299891 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1272 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 64524 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299890 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64523 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299889 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64523 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299888 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 64523 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299887 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64522 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299886 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64522 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:08 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299885 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 64522 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:11 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299916 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299918 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64527 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:12 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299917 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64527 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299920 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64528 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:17 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299919 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64528 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:19 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299921 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975903F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299923 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64529 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:23 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299922 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64529 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299925 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64530 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:24 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299924 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2968 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64530 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966865 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x58c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:56:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966864 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x58c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299927 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299926 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966867 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xd34 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:56:27 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966866 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd34 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966869 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1170 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:56:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966868 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1170 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299929 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64531 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:28 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299928 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64531 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299933 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x19a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 11/24/2021 01:56:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299932 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2480 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49676 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299931 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:31 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299930 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 444 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 123 Destination Address: 10.0.1.14 Destination Port: 123 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 11/24/2021 01:56:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299936 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdec New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299935 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xa40 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:56:32 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299934 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xa40 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299941 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17ec Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 11/24/2021 01:56:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299940 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17ec New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299939 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64532 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299938 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64532 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 11/24/2021 01:56:33 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299937 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xdec Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 11/24/2021 01:56:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299944 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10ac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299943 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xca4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:56:34 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299942 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xca4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299962 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x126c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1513299961 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x126c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0xb98 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1513299960 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10ac Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299959 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975BD35 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299958 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1975BD35 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64535 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299957 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975BD35 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299956 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64535 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299955 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64535 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299954 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 64535 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299953 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975BCC9 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299952 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1975BCC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 64534 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299951 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975BCC9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299950 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64534 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299949 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64534 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299948 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 64534 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299947 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 904 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64533 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299946 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 64533 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:35 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299945 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2972 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 64533 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966873 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x30c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966872 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x928 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:56:36 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966871 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x928 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1513299968 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975C448 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1513299967 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0x1975C448 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {F098B279-CC7D-E3AF-56F5-93B215485F65} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 64536 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1513299966 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x1975C448 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299965 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 64536 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299964 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 64536 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299963 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2876 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 64536 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966876 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10b4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966875 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10b4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:37 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966874 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x30c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 11/24/2021 01:56:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=3966878 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14bc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 11/24/2021 01:56:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=3966877 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x91c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 11/24/2021 01:56:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299970 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 64537 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 11/24/2021 01:56:39 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1513299969 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2352 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 64537 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36