154100x8000000000000000171249Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 09:01:31.480{03D06954-8DEB-65E5-288F-000000004903}1056C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeFtp.exeC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 154100x8000000000000000171241Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 09:00:19.268{03D06954-8DA3-65E5-218F-000000004903}4328C:\Windows\System32\gpupdate.exe10.0.14393.3986 (rs1_release.201002-1707)Microsoft® Group Policy Update UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationGPUpdate.exegpupdate /forceC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=2A360690356FCE21B7F18F4DB3CB8BF2,SHA256=AE6E09BD8130D3488FEE07248EFB58B08EB64B3C8F2FE64DD56A196BA82A299B,IMPHASH=B850A25F38035110A9276C6D7150694A{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001800361Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb90C:\Windows\System32\Ftp.exe%%19360x250Ftp.exeNULL SID--0x0C:\Windows\System32\services.exeMandatory Label\System Mandatory Level 154100x8000000000000000169694Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:38:26.532{03D06954-5042-65E5-D388-000000004903}2960C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeFtp.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1472-65E0-0A00-000000004903}592C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 4104152150x0173495Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11sc.exe create MockService binPath= "Ftp.exe" start= autofe042bee-c890-4b22-b889-cb583b43d95b 704504000x8080000000000000168102Systemar-win-dc.attackrange.localMockServiceFtp.exeuser mode serviceauto startLocalSystem 13241300x8000000000000000169693Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1031,T1050SetValue2024-03-04 04:38:23.109{03D06954-1472-65E0-0A00-000000004903}592C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MockService\ImagePathFtp.exeNT AUTHORITY\SYSTEM 154100x8000000000000000169691Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:38:23.117{03D06954-503F-65E5-D288-000000004903}4484C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" create MockService binPath= Ftp.exe start= autoC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{03D06954-3056-65E5-FC83-000000004903}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001800360Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1184C:\Windows\System32\sc.exe%%19360x1288"C:\Windows\system32\sc.exe" create MockService binPath= Ftp.exe start= autoNULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 154100x8000000000000000169683Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:38:02.555{03D06954-502A-65E5-CB88-000000004903}4144C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\system32\sc.exe" create MockService binPath= Ftp.exe start= autoC:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{03D06954-3056-65E5-FC83-000000004903}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001800318Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1030C:\Windows\System32\sc.exe%%19360x1288"C:\Windows\system32\sc.exe" create MockService binPath= Ftp.exe start= autoNULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 4104152150x0173471Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11sc.exe create MockService binPath= "Ftp.exe" start= autoa475f1f1-f9b0-4ffe-abb1-672d63c32197 4688201331200x80200000000000001798409Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12f0C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798408Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x104cC:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798407Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8d0C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798406Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe90C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798405Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf1cC:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798404Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x11bcC:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798403Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1074C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169493Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.750{03D06954-4965-65E5-0D88-000000004903}4848C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169492Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.641{03D06954-4965-65E5-0C88-000000004903}4172C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169491Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.531{03D06954-4965-65E5-0B88-000000004903}2256C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169490Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.422{03D06954-4965-65E5-0A88-000000004903}3728C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169489Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.312{03D06954-4965-65E5-0988-000000004903}3868C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169488Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.203{03D06954-4965-65E5-0888-000000004903}4540C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169487Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:09.093{03D06954-4965-65E5-0788-000000004903}4212C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001798402Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xffcC:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798401Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x420C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798400Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x658C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798397Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x148C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xdf0"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798396Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xdf0C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798394Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x130cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x950btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798393Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x950C:\Windows\System32\Ftp.exe%%19360x1300C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169486Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.985{03D06954-4964-65E5-0688-000000004903}4092C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169485Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.861{03D06954-4964-65E5-0588-000000004903}1056C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169484Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.745{03D06954-4964-65E5-0488-000000004903}1624C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169483Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.463{03D06954-4964-65E5-0388-000000004903}328C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4964-65E5-0288-000000004903}3568C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169482Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.458{03D06954-4964-65E5-0288-000000004903}3568C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169480Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.181{03D06954-4964-65E5-0088-000000004903}4876C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4964-65E5-FF87-000000004903}2384C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169479Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:08.174{03D06954-4964-65E5-FF87-000000004903}2384C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4962-65E5-F287-000000004903}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001798391Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x113cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xbfcbtool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798390Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbfcC:\Windows\System32\Ftp.exe%%19360x1300C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169477Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:07.867{03D06954-4963-65E5-FD87-000000004903}4412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4963-65E5-FC87-000000004903}3068C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169476Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:07.862{03D06954-4963-65E5-FC87-000000004903}3068C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4962-65E5-F287-000000004903}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001798377Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x788"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798376Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x788C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169466Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:06.086{03D06954-4962-65E5-F287-000000004903}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4962-65E5-F187-000000004903}1928C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169465Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:06.077{03D06954-4962-65E5-F187-000000004903}1928C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001798374Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf2cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xd74btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798373Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd74C:\Windows\System32\Ftp.exe%%19360x820C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798371Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1308C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x133cbtool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798370Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x133cC:\Windows\System32\Ftp.exe%%19360x820C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798368Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13f0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xd60btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798367Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd60C:\Windows\System32\Ftp.exe%%19360x820C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169463Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.716{03D06954-4961-65E5-EF87-000000004903}3884C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4961-65E5-EE87-000000004903}3444C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169462Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.711{03D06954-4961-65E5-EE87-000000004903}3444C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169460Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.412{03D06954-4961-65E5-EC87-000000004903}4872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4961-65E5-EB87-000000004903}4924C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169459Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.405{03D06954-4961-65E5-EB87-000000004903}4924C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169457Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.123{03D06954-4961-65E5-E987-000000004903}5104C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4961-65E5-E887-000000004903}3424C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169456Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:05.118{03D06954-4961-65E5-E887-000000004903}3424C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x80200000000000001798365Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6b4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xab8btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798364Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xab8C:\Windows\System32\Ftp.exe%%19360x820C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798362Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1124C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xd24btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798361Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd24C:\Windows\System32\Ftp.exe%%19360x820C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798360Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x820C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x1378"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798359Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1378C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798357Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbf4C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xe90"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798356Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe0cC:\Windows\System32\conhost.exe%%19360xe90\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001798355Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe90C:\Windows\System32\Ftp.exe%%19360x10f8C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169454Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.876{03D06954-4960-65E5-E687-000000004903}1716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4960-65E5-E587-000000004903}2744C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169453Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.872{03D06954-4960-65E5-E587-000000004903}2744C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169451Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.475{03D06954-4960-65E5-E387-000000004903}4388C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4960-65E5-E287-000000004903}3364C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169450Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.460{03D06954-4960-65E5-E287-000000004903}3364C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169449Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.435{03D06954-4960-65E5-E187-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4960-65E5-E087-000000004903}4984C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169448Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.429{03D06954-4960-65E5-E087-000000004903}4984C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169447Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.393{03D06954-4960-65E5-DE87-000000004903}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4960-65E5-DC87-000000004903}3728C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000169446Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:04.371{03D06954-4960-65E5-DC87-000000004903}3728C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4960-65E5-DB87-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001798352Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xe70C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x11bcbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798351Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11bcC:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798349Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xa24C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1234btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798348Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1234C:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169443Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:03.852{03D06954-495F-65E5-D987-000000004903}3696C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-495F-65E5-D887-000000004903}4540C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169442Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:03.844{03D06954-495F-65E5-D887-000000004903}4540C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169440Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:03.495{03D06954-495F-65E5-D687-000000004903}2596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-495F-65E5-D587-000000004903}4660C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logATTACKRANGE\Administrator 154100x8000000000000000169439Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:03.489{03D06954-495F-65E5-D587-000000004903}4660C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001798336Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x738C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1020btool server list httpServerListener: --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798335Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1020C:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798333Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x25cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x73cbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798332Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x73cC:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798330Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x460C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xe7cbtool server list httpServer --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798329Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xe7cC:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169428Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.967{03D06954-495C-65E5-CA87-000000004903}1848C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-495C-65E5-C987-000000004903}4128C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logATTACKRANGE\Administrator 154100x8000000000000000169427Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.956{03D06954-495C-65E5-C987-000000004903}4128C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169425Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.650{03D06954-495C-65E5-C787-000000004903}604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-495C-65E5-C687-000000004903}1852C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169424Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.643{03D06954-495C-65E5-C687-000000004903}1852C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169422Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.354{03D06954-495C-65E5-C487-000000004903}1120C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-495C-65E5-C387-000000004903}3708C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logATTACKRANGE\Administrator 154100x8000000000000000169421Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:09:00.348{03D06954-495C-65E5-C387-000000004903}3708C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001798320Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x100C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x12c8btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798319Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x12c8C:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169419Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:53.039{03D06954-4955-65E5-C187-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4955-65E5-C087-000000004903}4808C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logATTACKRANGE\Administrator 154100x8000000000000000169418Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:53.034{03D06954-4955-65E5-C087-000000004903}4808C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001798317Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x10b0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x13bcbtool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798316Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x13bcC:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798314Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xea4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xdbcbtool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798313Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xdbcC:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798311Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x148C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x420btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798310Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x420C:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169416Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.753{03D06954-4954-65E5-BE87-000000004903}4272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4954-65E5-BD87-000000004903}5052C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logATTACKRANGE\Administrator 154100x8000000000000000169415Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.748{03D06954-4954-65E5-BD87-000000004903}5052C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169413Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.484{03D06954-4954-65E5-BB87-000000004903}3748C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4954-65E5-BA87-000000004903}3516C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logATTACKRANGE\Administrator 154100x8000000000000000169412Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.475{03D06954-4954-65E5-BA87-000000004903}3516C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169410Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.160{03D06954-4954-65E5-B887-000000004903}328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4954-65E5-B787-000000004903}1056C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169409Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:52.154{03D06954-4954-65E5-B787-000000004903}1056C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001798308Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11d0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xec8btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798307Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xec8C:\Windows\System32\Ftp.exe%%19360x101cC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001798306Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x101cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xb18.\splunk.exe restartNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 154100x8000000000000000169407Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:51.845{03D06954-4953-65E5-B587-000000004903}4560C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4953-65E5-B487-000000004903}3784C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logATTACKRANGE\Administrator 154100x8000000000000000169406Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:51.839{03D06954-4953-65E5-B487-000000004903}3784C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169405Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 04:08:51.818{03D06954-4953-65E5-B387-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe.\splunk.exe restartC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001797220Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x39cC:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797219Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xef4C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797218Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13d8C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797217Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x168C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797216Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe74C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797215Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x358C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797214Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc14C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797213Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x218C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169285Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.849{03D06954-4527-65E5-3B87-000000004903}924C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169284Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.740{03D06954-4527-65E5-3A87-000000004903}3828C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169283Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.630{03D06954-4527-65E5-3987-000000004903}5080C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169282Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.520{03D06954-4527-65E5-3887-000000004903}360C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169281Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.411{03D06954-4527-65E5-3787-000000004903}3700C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169280Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.301{03D06954-4527-65E5-3687-000000004903}856C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169279Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.192{03D06954-4527-65E5-3587-000000004903}3092C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169278Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:03.083{03D06954-4527-65E5-3487-000000004903}536C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001797212Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xa10C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797211Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8ccC:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797208Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe38C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x1080"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797207Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1080C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797205Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x7acbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797204Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x7acC:\Windows\System32\Ftp.exe%%19360x1008C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797202Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x938C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xc70btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 154100x8000000000000000169277Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.957{03D06954-4526-65E5-3387-000000004903}2576C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169276Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.845{03D06954-4526-65E5-3287-000000004903}2252C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169275Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.610{03D06954-4526-65E5-3187-000000004903}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4526-65E5-3087-000000004903}4224C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169274Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.605{03D06954-4526-65E5-3087-000000004903}4224C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169272Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.341{03D06954-4526-65E5-2E87-000000004903}1860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4526-65E5-2D87-000000004903}1964C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169271Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.336{03D06954-4526-65E5-2D87-000000004903}1964C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4524-65E5-2087-000000004903}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 154100x8000000000000000169269Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:02.005{03D06954-4526-65E5-2B87-000000004903}2360C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4525-65E5-2A87-000000004903}3184C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 4688201331200x80200000000000001797201Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc70C:\Windows\System32\Ftp.exe%%19360x1008C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169268Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:01.995{03D06954-4525-65E5-2A87-000000004903}3184C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4524-65E5-2087-000000004903}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001797191Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1008C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xf44"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797190Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf44C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169258Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:00.014{03D06954-4524-65E5-2087-000000004903}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4524-65E5-1F87-000000004903}3908C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169257Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:51:00.008{03D06954-4524-65E5-1F87-000000004903}3908C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001797188Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x3fcC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x101cbtool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797187Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x101cC:\Windows\System32\Ftp.exe%%19360x12bcC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797185Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x73cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x8b8btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797184Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8b8C:\Windows\System32\Ftp.exe%%19360x12bcC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797182Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1094C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x12a8btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797181Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12a8C:\Windows\System32\Ftp.exe%%19360x12bcC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169255Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.667{03D06954-4523-65E5-1D87-000000004903}1020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4523-65E5-1C87-000000004903}4124C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169254Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.662{03D06954-4523-65E5-1C87-000000004903}4124C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169252Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.386{03D06954-4523-65E5-1A87-000000004903}1852C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4523-65E5-1987-000000004903}2232C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169251Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.380{03D06954-4523-65E5-1987-000000004903}2232C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169249Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.063{03D06954-4523-65E5-1787-000000004903}4244C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4523-65E5-1687-000000004903}4776C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169248Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:59.057{03D06954-4523-65E5-1687-000000004903}4776C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x80200000000000001797179Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb5cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x104cbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797178Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x104cC:\Windows\System32\Ftp.exe%%19360x12bcC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797176Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6b4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x650btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797175Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x650C:\Windows\System32\Ftp.exe%%19360x12bcC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797174Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12bcC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x10d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797173Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10d8C:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797171Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xd4c"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797170Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xa5cC:\Windows\System32\conhost.exe%%19360xd4c\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001797169Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd4cC:\Windows\System32\Ftp.exe%%19360x102cC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169246Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.752{03D06954-4522-65E5-1487-000000004903}2908C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4522-65E5-1387-000000004903}4172C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169245Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.742{03D06954-4522-65E5-1387-000000004903}4172C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169243Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.428{03D06954-4522-65E5-1187-000000004903}1716C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4522-65E5-1087-000000004903}1616C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169242Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.423{03D06954-4522-65E5-1087-000000004903}1616C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169241Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.411{03D06954-4522-65E5-0F87-000000004903}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4522-65E5-0E87-000000004903}4312C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169240Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.406{03D06954-4522-65E5-0E87-000000004903}4312C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169239Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.374{03D06954-4522-65E5-0C87-000000004903}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4522-65E5-0A87-000000004903}3404C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000169238Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:58.358{03D06954-4522-65E5-0A87-000000004903}3404C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4522-65E5-0987-000000004903}4140C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001797166Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11f0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x788btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797165Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x788C:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797163Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1070C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xf2cbtool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797162Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xf2cC:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169235Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:57.818{03D06954-4521-65E5-0787-000000004903}4592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4521-65E5-0687-000000004903}1928C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169234Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:57.812{03D06954-4521-65E5-0687-000000004903}1928C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169232Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:57.541{03D06954-4521-65E5-0487-000000004903}4208C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4521-65E5-0387-000000004903}3884C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logATTACKRANGE\Administrator 154100x8000000000000000169231Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:57.535{03D06954-4521-65E5-0387-000000004903}3884C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001797151Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x7b0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x8ccbtool server list httpServerListener: --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797150Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x8ccC:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797148Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x10b8C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xf68btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797147Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xf68C:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169220Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:55.366{03D06954-451F-65E5-F886-000000004903}1968C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-451F-65E5-F786-000000004903}2252C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logATTACKRANGE\Administrator 154100x8000000000000000169219Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:55.360{03D06954-451F-65E5-F786-000000004903}2252C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169217Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:55.057{03D06954-451F-65E5-F586-000000004903}4280C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-451F-65E5-F486-000000004903}3944C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169216Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:55.049{03D06954-451F-65E5-F486-000000004903}3944C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001797145Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x10d0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x810btool server list httpServer --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797144Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x810C:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169214Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:54.743{03D06954-451E-65E5-F286-000000004903}4304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-451E-65E5-F186-000000004903}2064C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logATTACKRANGE\Administrator 154100x8000000000000000169213Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:54.737{03D06954-451E-65E5-F186-000000004903}2064C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001797129Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x90cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x135cbtool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797128Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x135cC:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169211Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.763{03D06954-4517-65E5-EF86-000000004903}2316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4517-65E5-EE86-000000004903}4956C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logATTACKRANGE\Administrator 154100x8000000000000000169210Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.753{03D06954-4517-65E5-EE86-000000004903}4956C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001797126Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x81cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xc38btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797125Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xc38C:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797123Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x360C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x11ecbtool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797122Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11ecC:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169208Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.381{03D06954-4517-65E5-EC86-000000004903}2076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4517-65E5-EB86-000000004903}3128C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logATTACKRANGE\Administrator 154100x8000000000000000169207Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.376{03D06954-4517-65E5-EB86-000000004903}3128C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169205Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.083{03D06954-4517-65E5-E986-000000004903}864C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4517-65E5-E886-000000004903}4588C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logATTACKRANGE\Administrator 154100x8000000000000000169204Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:47.077{03D06954-4517-65E5-E886-000000004903}4588C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001797120Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x121cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xf4cbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797119Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xf4cC:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797117Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x13e4btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797116Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x13e4C:\Windows\System32\Ftp.exe%%19360xce8C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001797115Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xce8C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xb18.\splunk.exe restartNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 154100x8000000000000000169202Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:46.755{03D06954-4516-65E5-E686-000000004903}4636C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4516-65E5-E586-000000004903}3916C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169201Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:46.745{03D06954-4516-65E5-E586-000000004903}3916C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169199Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:46.372{03D06954-4516-65E5-E386-000000004903}2436C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4516-65E5-E286-000000004903}5092C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logATTACKRANGE\Administrator 154100x8000000000000000169198Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:46.361{03D06954-4516-65E5-E286-000000004903}5092C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169197Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:50:46.343{03D06954-4516-65E5-E186-000000004903}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe.\splunk.exe restartC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001796836Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8c0C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796835Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x121cC:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796834Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x984C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796833Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe48C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796832Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xce8C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796831Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x133cC:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169161Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.646{03D06954-443C-65E5-C186-000000004903}2240C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169160Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.536{03D06954-443C-65E5-C086-000000004903}4636C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169159Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.426{03D06954-443C-65E5-BF86-000000004903}2436C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169158Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.317{03D06954-443C-65E5-BE86-000000004903}3656C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169157Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.207{03D06954-443C-65E5-BD86-000000004903}3304C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169156Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:08.098{03D06954-443C-65E5-BC86-000000004903}4924C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796830Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x11e0C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796829Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x474C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796828Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x278C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796827Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12dcC:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796824Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x39cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x6e4"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796823Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6e4C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796821Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1360C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x13dcbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796820Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13dcC:\Windows\System32\Ftp.exe%%19360x13bcC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169155Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.989{03D06954-443B-65E5-BB86-000000004903}4576C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169154Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.880{03D06954-443B-65E5-BA86-000000004903}1140C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169153Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.770{03D06954-443B-65E5-B986-000000004903}632C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169152Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.655{03D06954-443B-65E5-B886-000000004903}4828C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169151Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.373{03D06954-443B-65E5-B786-000000004903}924C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-443B-65E5-B686-000000004903}1764C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169150Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.368{03D06954-443B-65E5-B686-000000004903}1764C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169148Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.044{03D06954-443B-65E5-B486-000000004903}4960C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-443B-65E5-B386-000000004903}5084C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169147Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:07.038{03D06954-443B-65E5-B386-000000004903}5084C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4438-65E5-A686-000000004903}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001796818Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x7ccC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x12f0btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796817Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12f0C:\Windows\System32\Ftp.exe%%19360x13bcC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169145Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:06.800{03D06954-443A-65E5-B186-000000004903}1996C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-443A-65E5-B086-000000004903}4848C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169144Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:06.795{03D06954-443A-65E5-B086-000000004903}4848C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4438-65E5-A686-000000004903}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001796807Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13bcC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x460"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796806Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x460C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796804Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13c8C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x10f4btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796803Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10f4C:\Windows\System32\Ftp.exe%%19360x1324C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796801Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1378C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xb28btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796800Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb28C:\Windows\System32\Ftp.exe%%19360x1324C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169134Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.851{03D06954-4438-65E5-A686-000000004903}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4438-65E5-A586-000000004903}1120C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169133Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.846{03D06954-4438-65E5-A586-000000004903}1120C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169131Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.531{03D06954-4438-65E5-A386-000000004903}5064C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4438-65E5-A286-000000004903}4340C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169130Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.526{03D06954-4438-65E5-A286-000000004903}4340C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169128Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.259{03D06954-4438-65E5-A086-000000004903}4984C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4438-65E5-9F86-000000004903}2856C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169127Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:04.250{03D06954-4438-65E5-9F86-000000004903}2856C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796798Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12e0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xeb8btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796797Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xeb8C:\Windows\System32\Ftp.exe%%19360x1324C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796795Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xffcC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x6b0btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796794Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6b0C:\Windows\System32\Ftp.exe%%19360x1324C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796792Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xa58C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x734btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796791Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x734C:\Windows\System32\Ftp.exe%%19360x1324C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796790Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1324C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796789Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc10C:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796787Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd24C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xf4c"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796786Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xdb8C:\Windows\System32\conhost.exe%%19360xf4c\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796785Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf4cC:\Windows\System32\Ftp.exe%%19360x1354C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169125Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.942{03D06954-4437-65E5-9D86-000000004903}4832C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4437-65E5-9C86-000000004903}3768C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169124Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.937{03D06954-4437-65E5-9C86-000000004903}3768C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169122Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.655{03D06954-4437-65E5-9A86-000000004903}4092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4437-65E5-9986-000000004903}1712C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169121Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.650{03D06954-4437-65E5-9986-000000004903}1712C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169119Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.299{03D06954-4437-65E5-9786-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4437-65E5-9686-000000004903}1844C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169118Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.294{03D06954-4437-65E5-9686-000000004903}1844C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169117Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.285{03D06954-4437-65E5-9586-000000004903}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4437-65E5-9486-000000004903}3088C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000169116Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.279{03D06954-4437-65E5-9486-000000004903}3088C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169115Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.236{03D06954-4437-65E5-9286-000000004903}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4437-65E5-9086-000000004903}3916C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000169114Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:03.204{03D06954-4437-65E5-9086-000000004903}3916C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4436-65E5-8F86-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796782Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xc54C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x658btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796781Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x658C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796779Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x650C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x820btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796778Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x820C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169111Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:02.718{03D06954-4436-65E5-8D86-000000004903}3156C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4436-65E5-8C86-000000004903}1624C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169110Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:02.705{03D06954-4436-65E5-8C86-000000004903}1624C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169108Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:02.429{03D06954-4436-65E5-8A86-000000004903}1616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4436-65E5-8986-000000004903}2080C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logATTACKRANGE\Administrator 154100x8000000000000000169107Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:02.423{03D06954-4436-65E5-8986-000000004903}2080C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796767Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x958C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x105cbtool server list httpServerListener: --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796766Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x105cC:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796764Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xcdcC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x12c4btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796763Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x12c4C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169096Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:00.290{03D06954-4434-65E5-7E86-000000004903}2392C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4434-65E5-7D86-000000004903}4188C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logATTACKRANGE\Administrator 154100x8000000000000000169095Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:00.285{03D06954-4434-65E5-7D86-000000004903}4188C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169093Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:00.017{03D06954-4434-65E5-7B86-000000004903}3292C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4434-65E5-7A86-000000004903}4804C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169092Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:47:00.007{03D06954-4434-65E5-7A86-000000004903}4804C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796761Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xc80C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xf68btool server list httpServer --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796760Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xf68C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169090Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:59.696{03D06954-4433-65E5-7886-000000004903}3200C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4433-65E5-7786-000000004903}3944C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logATTACKRANGE\Administrator 154100x8000000000000000169089Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:59.690{03D06954-4433-65E5-7786-000000004903}3944C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169087Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:53.196{03D06954-442D-65E5-7586-000000004903}4084C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-442D-65E5-7486-000000004903}2256C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logATTACKRANGE\Administrator 154100x8000000000000000169086Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:53.189{03D06954-442D-65E5-7486-000000004903}2256C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796756Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xff4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x8d0btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796755Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x8d0C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796753Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xc10C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x11bcbtool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796752Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11bcC:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796750Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xd30C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x118cbtool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796749Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x118cC:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169084Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.859{03D06954-442C-65E5-7286-000000004903}3088C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-442C-65E5-7186-000000004903}4540C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logATTACKRANGE\Administrator 154100x8000000000000000169083Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.853{03D06954-442C-65E5-7186-000000004903}4540C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169081Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.580{03D06954-442C-65E5-6F86-000000004903}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-442C-65E5-6E86-000000004903}4492C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logATTACKRANGE\Administrator 154100x8000000000000000169080Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.575{03D06954-442C-65E5-6E86-000000004903}4492C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169078Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.288{03D06954-442C-65E5-6C86-000000004903}1052C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-442C-65E5-6B86-000000004903}4948C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000169077Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:52.279{03D06954-442C-65E5-6B86-000000004903}4948C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796747Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x41cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1354btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796746Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1354C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000169074Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:51.965{03D06954-442B-65E5-6886-000000004903}2080C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-442B-65E5-6786-000000004903}4912C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logATTACKRANGE\Administrator 154100x8000000000000000169073Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:51.949{03D06954-442B-65E5-6786-000000004903}4912C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000169072Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:46:51.930{03D06954-442B-65E5-6686-000000004903}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe.\splunk.exe restartC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001796743Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x820C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1330btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796742Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1330C:\Windows\System32\Ftp.exe%%19360x135cC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796741Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x135cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xb18.\splunk.exe restartNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796491Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6b4C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796488Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x81cC:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796487Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6e4C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796486Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13dcC:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169031Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:50.390{03D06954-4376-65E5-4886-000000004903}1716C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169030Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:50.280{03D06954-4376-65E5-4786-000000004903}2076C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169029Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:50.171{03D06954-4376-65E5-4686-000000004903}1764C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169028Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:50.061{03D06954-4376-65E5-4586-000000004903}5084C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796485Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x101cC:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796484Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb28C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796483Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x98cC:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796482Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13f8C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796481Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd40C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796480Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x358C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796477Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x8c4"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796476Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8c4C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000169027Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.952{03D06954-4375-65E5-4486-000000004903}4124C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169026Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.836{03D06954-4375-65E5-4386-000000004903}2856C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169025Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.726{03D06954-4375-65E5-4286-000000004903}2444C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169024Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.613{03D06954-4375-65E5-4186-000000004903}5112C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169023Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.471{03D06954-4375-65E5-4086-000000004903}3392C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169022Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.361{03D06954-4375-65E5-3F86-000000004903}856C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169021Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.082{03D06954-4375-65E5-3E86-000000004903}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4375-65E5-3D86-000000004903}2244C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169020Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:49.077{03D06954-4375-65E5-3D86-000000004903}2244C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796474Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe70C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x3ccbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796473Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x3ccC:\Windows\System32\Ftp.exe%%19360xaa8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796471Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xfb8C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x11ecbtool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796470Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x11ecC:\Windows\System32\Ftp.exe%%19360xaa8C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169018Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:48.813{03D06954-4374-65E5-3B86-000000004903}3696C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4374-65E5-3A86-000000004903}972C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169017Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:48.808{03D06954-4374-65E5-3A86-000000004903}972C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4372-65E5-2D86-000000004903}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 154100x8000000000000000169015Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:48.554{03D06954-4374-65E5-3886-000000004903}4024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4374-65E5-3786-000000004903}4588C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169014Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:48.549{03D06954-4374-65E5-3786-000000004903}4588C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4372-65E5-2D86-000000004903}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001796460Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xaa8C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x12c4"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796459Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x12c4C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796457Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd24C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xe4cbtool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796456Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe4cC:\Windows\System32\Ftp.exe%%19360x100C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796454Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1318C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1188btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796453Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1188C:\Windows\System32\Ftp.exe%%19360x100C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000169004Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.832{03D06954-4372-65E5-2D86-000000004903}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4372-65E5-2C86-000000004903}4804C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000169003Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.825{03D06954-4372-65E5-2C86-000000004903}4804C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000169001Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.516{03D06954-4372-65E5-2A86-000000004903}3364C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4372-65E5-2986-000000004903}3660C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000169000Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.512{03D06954-4372-65E5-2986-000000004903}3660C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000168998Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.247{03D06954-4372-65E5-2786-000000004903}4888C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4372-65E5-2686-000000004903}4488C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000168997Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:46.242{03D06954-4372-65E5-2686-000000004903}4488C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796451Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1300C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x121cbtool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796450Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x121cC:\Windows\System32\Ftp.exe%%19360x100C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796448Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x2b0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x139cbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796447Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x139cC:\Windows\System32\Ftp.exe%%19360x100C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796445Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x340btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796444Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x340C:\Windows\System32\Ftp.exe%%19360x100C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796443Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x100C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x1198"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796442Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1198C:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796440Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbe4C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xd4c"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796439Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd88C:\Windows\System32\conhost.exe%%19360xd4c\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001796438Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd4cC:\Windows\System32\Ftp.exe%%19360xb64C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000168995Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.987{03D06954-4371-65E5-2486-000000004903}4864C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4371-65E5-2386-000000004903}4636C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000168994Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.982{03D06954-4371-65E5-2386-000000004903}4636C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000168992Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.703{03D06954-4371-65E5-2186-000000004903}688C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4371-65E5-2086-000000004903}5020C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000168991Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.698{03D06954-4371-65E5-2086-000000004903}5020C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000168989Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.401{03D06954-4371-65E5-1E86-000000004903}4868C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4371-65E5-1D86-000000004903}832C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000168988Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.394{03D06954-4371-65E5-1D86-000000004903}832C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000168987Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.381{03D06954-4371-65E5-1C86-000000004903}256C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4371-65E5-1B86-000000004903}4504C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000168986Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.375{03D06954-4371-65E5-1B86-000000004903}4504C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000168985Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.345{03D06954-4371-65E5-1986-000000004903}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-4371-65E5-1786-000000004903}3404C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000168984Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:45.327{03D06954-4371-65E5-1786-000000004903}3404C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-4371-65E5-1686-000000004903}2916C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001796435Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x430C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x450btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796434Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x450C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796432Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x460C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x258btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796431Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x258C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000168981Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:44.801{03D06954-4370-65E5-1486-000000004903}1072C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4370-65E5-1386-000000004903}1104C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000168980Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:44.795{03D06954-4370-65E5-1386-000000004903}1104C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168978Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:44.516{03D06954-4370-65E5-1186-000000004903}1120C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-4370-65E5-1086-000000004903}600C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logATTACKRANGE\Administrator 154100x8000000000000000168977Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:44.511{03D06954-4370-65E5-1086-000000004903}600C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796420Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x101cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1118btool server list httpServerListener: --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796419Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1118C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000168966Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:42.113{03D06954-436E-65E5-0586-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-436E-65E5-0486-000000004903}4376C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logATTACKRANGE\Administrator 154100x8000000000000000168965Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:42.105{03D06954-436E-65E5-0486-000000004903}4376C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServerListener: --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796417Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x10d0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x98cbtool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796416Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x98cC:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796414Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x10f8C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x11f4btool server list httpServer --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796413Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x11f4C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000168963Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:41.824{03D06954-436D-65E5-0286-000000004903}4304C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-436D-65E5-0186-000000004903}2444C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000168962Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:41.817{03D06954-436D-65E5-0186-000000004903}2444C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168960Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:41.472{03D06954-436D-65E5-FF85-000000004903}4344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-436D-65E5-FE85-000000004903}4596C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logATTACKRANGE\Administrator 154100x8000000000000000168959Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:43:41.464{03D06954-436D-65E5-FE85-000000004903}4596C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list httpServer --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168953Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:50.169{03D06954-42FE-65E5-F785-000000004903}5028C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-42FE-65E5-F685-000000004903}1832C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logATTACKRANGE\Administrator 154100x8000000000000000168952Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:50.163{03D06954-42FE-65E5-F685-000000004903}1832C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796324Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x13a4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x728btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796323Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x728C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 154100x8000000000000000168950Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.837{03D06954-42FD-65E5-F485-000000004903}4616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-42FD-65E5-F385-000000004903}4388C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logATTACKRANGE\Administrator 4688201331200x80200000000000001796321Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1208C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x1124btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 154100x8000000000000000168949Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.832{03D06954-42FD-65E5-F385-000000004903}4388C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168947Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.501{03D06954-42FD-65E5-F185-000000004903}824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-42FD-65E5-F085-000000004903}3336C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logATTACKRANGE\Administrator 154100x8000000000000000168946Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.496{03D06954-42FD-65E5-F085-000000004903}3336C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168944Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.233{03D06954-42FD-65E5-EE85-000000004903}4244C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-42FD-65E5-ED85-000000004903}864C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logATTACKRANGE\Administrator 154100x8000000000000000168943Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:49.227{03D06954-42FD-65E5-ED85-000000004903}864C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 4688201331200x80200000000000001796320Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1124C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796318Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x338C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xd08btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796317Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xd08C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796315Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x1094C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x360btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796314Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x360C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796312Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x418C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xf44btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796311Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xf44C:\Windows\System32\Ftp.exe%%19360x4b8C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001796310Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270x4b8C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xb18.\splunk.exe restartNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 154100x8000000000000000168941Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:48.877{03D06954-42FC-65E5-EB85-000000004903}1048C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-42FC-65E5-EA85-000000004903}3908C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logATTACKRANGE\Administrator 154100x8000000000000000168940Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:48.868{03D06954-42FC-65E5-EA85-000000004903}3908C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe.\splunk.exe restartATTACKRANGE\Administrator 154100x8000000000000000168939Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:41:48.836{03D06954-42FC-65E5-E985-000000004903}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe.\splunk.exe restartC:\Program Files\SplunkUniversalForwarder\bin\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" ATTACKRANGE\Administrator 4688201331200x80200000000000001795151Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xd68C:\Windows\System32\conhost.exe%%19360xb18\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\High Mandatory Level 4688201331200x80200000000000001795146Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x34a3a270xb18C:\Windows\System32\Ftp.exe%%19360x7bc"C:\Windows\system32\Ftp.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\High Mandatory Level 154100x8000000000000000168885Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-03-04 03:32:07.926{03D06954-40B7-65E5-B085-000000004903}2840C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exe"C:\Windows\system32\Ftp.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{03D06954-1F00-65E5-273A-4A0300000000}0x34a3a272HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1F01-65E5-3182-000000004903}1980C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECKATTACKRANGE\Administrator 4104152150x0172651Microsoft-Windows-PowerShell/Operationalar-win-2.attackrange.local11function Invoke-ExecuteCommand ($finalCommand, $executor, $executionPlatform, $TimeoutSeconds, $session = $null, $interactive) { $null = @( if ($null -eq $finalCommand) { return 0 } $finalCommand = $finalCommand.trim() Write-Verbose -Message 'Invoking Atomic Tests using defined executor' if ($executor -eq "command_prompt" -or $executor -eq "sh" -or $executor -eq "bash") { $execPrefix = "-c" $execExe = $executor if ($executor -eq "command_prompt") { $execPrefix = "/c"; $execExe = "Ftp.exe"; $execCommand = $finalCommand -replace "`n", " & " $arguments = $execPrefix, "$execCommand" } else { $finalCommand = $finalCommand -replace "[\\](?!;)", "`\$&" $finalCommand = $finalCommand -replace "[`"]", "`\$&" $execCommand = $finalCommand -replace "(?<!;)\n", "; " $arguments = "$execPrefix `"$execCommand`"" } } elseif ($executor -eq "powershell") { $execCommand = $finalCommand -replace "`"", "`\`"`"" if ($session) { if ($executionPlatform -eq "windows") { $execExe = "powershell.exe" } else { $execExe = "pwsh" } } else { $execExe = "powershell.exe"; if ($IsLinux -or $IsMacOS) { $execExe = "pwsh" } } if ($execExe -eq "pwsh") { $arguments = "-Command $execCommand" } else { $arguments = "& {$execCommand}" } } else { Write-Warning -Message "Unable to generate or execute the command line properly. Unknown executor" return [PSCustomObject]@{ StandardOutput = "" ErrorOutput = "" ExitCode = -1 IsTimeOut = $false } } # Write-Host -ForegroundColor Magenta "$execExe $arguments" if ($session) { $scriptParentPath = Split-Path $import -Parent $fp = Join-Path $scriptParentPath "Invoke-Process.ps1" $fp2 = Join-Path $scriptParentPath "Invoke-KillProcessTree.ps1" invoke-command -Session $session -FilePath $fp invoke-command -Session $session -FilePath $fp2 $res = invoke-command -Session $session -ScriptBlock { Invoke-Process -filename $Using:execExe -Arguments $Using:arguments -TimeoutSeconds $Using:TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt" } } else { if ($interactive) { # This use case is: Local execution of tests that contain interactive prompts # In this situation, let the stdout/stderr flow to the console $res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds } else { # Local execution that DO NOT contain interactive prompts # In this situation, capture the stdout/stderr for Invoke-AtomicTest to send to the caller $res = Invoke-Process -filename $execExe -Arguments $arguments -TimeoutSeconds $TimeoutSeconds -stdoutFile "art-out.txt" -stderrFile "art-err.txt" } } ) $res } beb39d62-45b4-4e9e-b96d-9fe83ab73406C:\AtomicRedTeam\invoke-atomicredteam\Private\Invoke-ExecuteCommand.ps1 4104132150x0172636Microsoft-Windows-PowerShell/Operationalar-win-2.attackrange.local11# The class definitions that these functions rely upon are located in Private\AtomicClassSchema.ps1 function New-AtomicTechnique { <# .SYNOPSIS Specifies a new atomic red team technique. The output of this function is designed to be piped directly to ConvertTo-Yaml, eliminating the need to work with YAML directly. .PARAMETER AttackTechnique Specifies one or more MITRE ATT&CK techniques that to which this technique applies. Per MITRE naming convention, an attack technique should start with "T" followed by a 4 digit number. The MITRE sub-technique format is also supported: TNNNN.NNN .PARAMETER DisplayName Specifies the name of the technique as defined by ATT&CK. Example: 'Audio Capture' .PARAMETER AtomicTests Specifies one or more atomic tests. Atomic tests are created using the New-AtomicTest function. .EXAMPLE $InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll' $InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs' $AtomicTest1 = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} '@ # Note: the input arguments are identical for atomic test #1 and #2 $AtomicTest2 = New-AtomicTest -Name 'InstallUtil GetHelp method call' -Description 'Executes the Help property' -SupportedPlatforms Windows -InputArguments @($InputArg1, $InputArg2) -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} '@ $AtomicTechnique = New-AtomicTechnique -AttackTechnique T1118 -DisplayName InstallUtil -AtomicTests $AtomicTest1, $AtomicTest2 # Everything is ready to convert to YAML now! $AtomicTechnique | ConvertTo-Yaml | Out-File T1118.yaml .OUTPUTS AtomicTechnique Outputs an object representing an atomic technique. The output of New-AtomicTechnique is designed to be piped to ConvertTo-Yaml. #> [CmdletBinding()] [OutputType([AtomicTechnique])] param ( [Parameter(Mandatory)] [String[]] $AttackTechnique, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $DisplayName, [Parameter(Mandatory)] [AtomicTest[]] [ValidateNotNull()] $AtomicTests ) $AtomicTechniqueInstance = [AtomicTechnique]::new() foreach ($Technique in $AttackTechnique) { # Attack techniques should match the MITRE ATT&CK [sub-]technique format. # This is not a requirement so just warn the user. if ($Technique -notmatch '^(?-i:T\d{4}(\.\d{3}){0,1})$') { Write-Warning "The following supplied attack technique does not start with 'T' followed by a four digit number: $Technique" } } $AtomicTechniqueInstance.attack_technique = $AttackTechnique $AtomicTechniqueInstance.display_name = $DisplayName $AtomicTechniqueInstance.atomic_tests = $AtomicTests return $AtomicTechniqueInstance } function New-AtomicTest { <# .SYNOPSIS Specifies an atomic test. .PARAMETER Name Specifies the name of the test that indicates how it tests the technique. .PARAMETER Description Specifies a long form description of the test. Markdown is supported. .PARAMETER SupportedPlatforms Specifies the OS/platform on which the test is designed to run. The following platforms are currently supported: Windows, macOS, Linux. A single test can support multiple platforms. .PARAMETER ExecutorType Specifies the the framework or application in which the test should be executed. The following executor types are currently supported: CommandPrompt, Sh, Bash, PowerShell. - CommandPrompt: The Windows Command Prompt, aka Ftp.exe Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by Ftp.exe. - PowerShell: PowerShell Requires the -ExecutorCommand argument to contain a multi-line PowerShell scriptblock that will be preprocessed and then executed by powershell.exe - Sh: Linux's bourne shell Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by sh. - Bash: Linux's bourne again shell Requires the -ExecutorCommand argument to contain a multi-line script that will be preprocessed and then executed by bash. .PARAMETER ExecutorElevationRequired Specifies that the test must run with elevated privileges. .PARAMETER ExecutorSteps Specifies a manual list of steps to execute. This should be specified when the atomic test cannot be executed in an automated fashion, for example when GUI steps are involved that cannot be automated. .PARAMETER ExecutorCommand Specifies the command to execute as part of the atomic test. This should be specified when the atomic test can be executed in an automated fashion. The -ExecutorType specified will dictate the command specified, e.g. PowerShell scriptblock code when the "PowerShell" ExecutorType is specified. .PARAMETER ExecutorCleanupCommand Specifies the command to execute if there are any artifacts that need to be cleaned up. .PARAMETER InputArguments Specifies one or more input arguments. Input arguments are defined using the New-AtomicTestInputArgument function. .PARAMETER DependencyExecutorType Specifies an override execution type for dependencies. By default, dependencies are executed using the framework specified in -ExecutorType. In most cases, 'PowerShell' is specified as a dependency executor type when 'CommandPrompt' is specified as an executor type. .PARAMETER Dependencies Specifies one or more dependencies. Dependencies are defined using the New-AtomicTestDependency function. .EXAMPLE $InputArg1 = New-AtomicTestInputArgument -Name filename -Description 'location of the payload' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.dll' $InputArg2 = New-AtomicTestInputArgument -Name source -Description 'location of the source code to compile' -Type Path -Default 'PathToAtomicsFolder\T1118\src\T1118.cs' $AtomicTest = New-AtomicTest -Name 'InstallUtil uninstall method call' -Description 'Executes the Uninstall Method' -SupportedPlatforms Windows -InputArguments $InputArg1, $InputArg2 -ExecutorType CommandPrompt -ExecutorCommand @' C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{filename} #{source} C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} '@ .OUTPUTS AtomicTest Outputs an object representing an atomic test. This object is intended to be supplied to the New-AtomicTechnique -AtomicTests parameter. The output of New-AtomicTest can be piped to ConvertTo-Yaml. The resulting output can be added to an existing atomic technique YAML doc. #> [CmdletBinding(DefaultParameterSetName = 'AutomatedExecutor')] [OutputType([AtomicTest])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Name, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory)] [String[]] [ValidateSet('Windows', 'macOS', 'Linux')] $SupportedPlatforms, [Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')] [String] [ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')] $ExecutorType, [Switch] $ExecutorElevationRequired, [Parameter(Mandatory, ParameterSetName = 'ManualExecutor')] [String] [ValidateNotNullOrEmpty()] $ExecutorSteps, [Parameter(Mandatory, ParameterSetName = 'AutomatedExecutor')] [String] [ValidateNotNullOrEmpty()] $ExecutorCommand, [String] [ValidateNotNullOrEmpty()] $ExecutorCleanupCommand, [AtomicInputArgument[]] $InputArguments, [String] [ValidateSet('CommandPrompt', 'Sh', 'Bash', 'PowerShell')] $DependencyExecutorType, [AtomicDependency[]] $Dependencies ) $AtomicTestInstance = [AtomicTest]::new() $AtomicTestInstance.name = $Name $AtomicTestInstance.description = $Description $AtomicTestInstance.supported_platforms = $SupportedPlatforms | ForEach-Object { $_.ToLower() } $StringsWithPotentialInputArgs = New-Object -TypeName 'System.Collections.Generic.List`1[String]' switch ($PSCmdlet.ParameterSetName) { 'AutomatedExecutor' { $ExecutorInstance = [AtomicExecutorDefault]::new() $ExecutorInstance.command = $ExecutorCommand $StringsWithPotentialInputArgs.Add($ExecutorCommand) } 'ManualExecutor' { $ExecutorInstance = [AtomicExecutorManual]::new() $ExecutorInstance.steps = $ExecutorSteps $StringsWithPotentialInputArgs.Add($ExecutorSteps) } } switch ($ExecutorType) { 'CommandPrompt' { $ExecutorInstance.name = 'command_prompt' } default { $ExecutorInstance.name = $ExecutorType.ToLower() } } if ($ExecutorCleanupCommand) { $ExecutorInstance.cleanup_command = $ExecutorCleanupCommand $StringsWithPotentialInputArgs.Add($ExecutorCleanupCommand) } if ($ExecutorElevationRequired) { $ExecutorInstance.elevation_required = $True } if ($Dependencies) { foreach ($Dependency in $Dependencies) { $StringsWithPotentialInputArgs.Add($Dependency.description) $StringsWithPotentialInputArgs.Add($Dependency.prereq_command) $StringsWithPotentialInputArgs.Add($Dependency.get_prereq_command) } } if ($DependencyExecutorType) { switch ($DependencyExecutorType) { 'CommandPrompt' { $AtomicTestInstance.dependency_executor_name = 'command_prompt' } default { $AtomicTestInstance.dependency_executor_name = $DependencyExecutorType.ToLower() } } } $AtomicTestInstance.dependencies = $Dependencies [Hashtable] $InputArgHashtable = @{ } if ($InputArguments.Count) { # Determine if any of the input argument names repeat. They must be unique. $InputArguments | Group-Object -Property Name | Where-Object { $_.Count -gt 1 } | ForEach-Object { Write-Error "There are $($_.Count) instances of the $($_.Name) input argument. Input argument names must be unique." return } # Convert each input argument to a hashtable where the key is the Name property. foreach ($InputArg in $InputArguments) { # Create a copy of the passed input argument that doesn't include the "Name" property. # Passing in a shallow copy adversely affects YAML serialization for some reason. $NewInputArg = [AtomicInputArgument]::new() $NewInputArg.default = $InputArg.default $NewInputArg.description = $InputArg.description $NewInputArg.type = $InputArg.type $InputArgHashtable[$InputArg.Name] = $NewInputArg } $AtomicTestInstance.input_arguments = $InputArgHashtable } # Extract all specified input arguments from executor and any dependencies. $Regex = [Regex] '#\{(?<ArgName>[^}]+)\}' [String[]] $InputArgumentNamesFromExecutor = $StringsWithPotentialInputArgs | ForEach-Object { $Regex.Matches($_) } | Select-Object -ExpandProperty Groups | Where-Object { $_.Name -eq 'ArgName' } | Select-Object -ExpandProperty Value | Sort-Object -Unique # Validate that all executor arguments are defined as input arguments if ($InputArgumentNamesFromExecutor.Count) { $InputArgumentNamesFromExecutor | ForEach-Object { if ($InputArgHashtable.Keys -notcontains $_) { Write-Error "The following input argument was specified but is not defined: '$_'" return } } } # Validate that all defined input args are utilized at least once in the executor. if ($InputArgHashtable.Keys.Count) { $InputArgHashtable.Keys | ForEach-Object { if ($InputArgumentNamesFromExecutor -notcontains $_) { # Write a warning since this scenario is not considered a breaking change Write-Warning "The following input argument is defined but not utilized: '$_'." } } } $AtomicTestInstance.executor = $ExecutorInstance return $AtomicTestInstance } function New-AtomicTestDependency { <# .SYNOPSIS Specifies a new dependency that must be met prior to execution of an atomic test. .PARAMETER Description Specifies a human-readable description of the dependency. This should be worded in the following form: SOMETHING must SOMETHING .PARAMETER PrereqCommand Specifies commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success. .PARAMETER GetPrereqCommand Specifies commands to meet this prerequisite or a message describing how to meet this prereq More specifically, this command is designed to satisfy either of the following conditions: 1) If a prerequisite is not met, perform steps necessary to satify the prerequisite. Such a command should be implemented when prerequisites can be satisfied in an automated fashion. 2) If a prerequisite is not met, inform the user what the steps are to satisfy the prerequisite. Such a message should be presented to the user in the case that prerequisites cannot be satisfied in an automated fashion. .EXAMPLE $Dependency = New-AtomicTestDependency -Description 'Folder to zip must exist (#{input_file_folder})' -PrereqCommand 'test -e #{input_file_folder}' -GetPrereqCommand 'echo Please set input_file_folder argument to a folder that exists' .OUTPUTS AtomicDependency Outputs an object representing an atomic test dependency. This object is intended to be supplied to the New-AtomicTest -Dependencies parameter. Note: due to a bug in PowerShell classes, the get_prereq_command property will not display by default. If all fields must be explicitly displayed, they can be viewed by piping output to "Select-Object description, prereq_command, get_prereq_command". #> [CmdletBinding()] [OutputType([AtomicDependency])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $PrereqCommand, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $GetPrereqCommand ) $DependencyInstance = [AtomicDependency]::new() $DependencyInstance.description = $Description $DependencyInstance.prereq_command = $PrereqCommand $DependencyInstance.get_prereq_command = $GetPrereqCommand return $DependencyInstance } function New-AtomicTestInputArgument { <# .SYNOPSIS Specifies an input to an atomic test that is a requirement to run the test (think of these like function arguments). .PARAMETER Name Specifies the name of the input argument. This must be lowercase and can optionally, have underscores. The input argument name is what is specified as arguments within executors and dependencies. .PARAMETER Description Specifies a human-readable description of the input argument. .PARAMETER Type Specifies the data type of the input argument. The following data types are supported: Path, Url, String, Integer, Float. If an alternative data type must be supported, use the -TypeOverride parameter. .PARAMETER TypeOverride Specifies an unsupported input argument data type. Specifying this parameter should not be common. .PARAMETER Default Specifies a default value for an input argument if one is not specified via the Invoke-AtomicTest -InputArgs parameter. .EXAMPLE $AtomicInputArgument = New-AtomicTestInputArgument -Name 'rar_exe' -Type Path -Description 'The RAR executable from Winrar' -Default '%programfiles%\WinRAR\Rar.exe' .OUTPUTS AtomicInputArgument Outputs an object representing an atomic test input argument. This object is intended to be supplied to the New-AtomicTest -InputArguments parameter. #> [CmdletBinding(DefaultParameterSetName = 'PredefinedType')] [OutputType([AtomicInputArgument])] param ( [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Name, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Description, [Parameter(Mandatory, ParameterSetName = 'PredefinedType')] [String] [ValidateSet('Path', 'Url', 'String', 'Integer', 'Float')] $Type, [Parameter(Mandatory, ParameterSetName = 'TypeOverride')] [String] [ValidateNotNullOrEmpty()] $TypeOverride, [Parameter(Mandatory)] [String] [ValidateNotNullOrEmpty()] $Default ) if ($Name -notmatch '^(?-i:[0-9a-z_]+)$') { Write-Error "Input argument names must be lowercase and optionally, contain underscores. Input argument name supplied: $Name" return } $AtomicInputArgInstance = [AtomicInputArgument]::new() $AtomicInputArgInstance.description = $Description $AtomicInputArgInstance.default = $Default if ($Type) { $AtomicInputArgInstance.type = $Type # Validate input argument types when it makes sense to do so. switch ($Type) { 'Url' { if (-not [Uri]::IsWellFormedUriString($Type, [UriKind]::RelativeOrAbsolute)) { Write-Warning "The specified Url is not properly formatted: $Type" } } 'Integer' { if (-not [Int]::TryParse($Type, [Ref] $null)) { Write-Warning "The specified Int is not properly formatted: $Type" } } 'Float' { if (-not [Double]::TryParse($Type, [Ref] $null)) { Write-Warning "The specified Float is not properly formatted: $Type" } } # The following supported data types do not make sense to validate: # 'Path' { } # 'String' { } } } else { $AtomicInputArgInstance.type = $TypeOverride } # Add Name as a note property since the Name property cannot be defined in the AtomicInputArgument # since it must be stored as a hashtable where the name is the key. Fortunately, ConvertTo-Yaml # won't convert note properties during serialization. $InputArgument = Add-Member -InputObject $AtomicInputArgInstance -MemberType NoteProperty -Name Name -Value $Name -PassThru return $InputArgument } 84fc79a8-5763-4b2d-b489-4fa69aa8f734C:\AtomicRedTeam\invoke-atomicredteam\Public\New-Atomic.ps1 4104152150x0172618Microsoft-Windows-PowerShell/Operationalar-win-2.attackrange.local12function Invoke-AtomicTest { [CmdletBinding(DefaultParameterSetName = 'technique', SupportsShouldProcess = $true, PositionalBinding = $false, ConfirmImpact = 'Medium')] Param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [ValidateNotNullOrEmpty()] [String[]] $AtomicTechnique, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $ShowDetails, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $ShowDetailsBrief, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $anyOS, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestNumbers, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestNames, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String[]] $TestGuids, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $PathToAtomicsFolder = $( if ($IsLinux -or $IsMacOS) { $Env:HOME + "/AtomicRedTeam/atomics" } else { $env:HOMEDRIVE + "\AtomicRedTeam\atomics" }), [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $CheckPrereqs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $PromptForInputArgs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $GetPrereqs = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $Cleanup = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $NoExecutionLog = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $ExecutionLogPath = $( if ($IsLinux -or $IsMacOS) { "/tmp/Invoke-AtomicTest-ExecutionLog.csv" } else { "$env:TEMP\Invoke-AtomicTest-ExecutionLog.csv" }), [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $Force, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [HashTable] $InputArgs, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [Int] $TimeoutSeconds = 120, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [System.Management.Automation.Runspaces.PSSession[]]$Session, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $Interactive = $false, [Parameter(Mandatory = $false, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'technique')] [switch] $KeepStdOutStdErrFiles = $false, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [String] $LoggingModule, [Parameter(Mandatory = $false, ParameterSetName = 'technique')] [switch] $SupressPathToAtomicsFolder = $false ) BEGIN { } # Intentionally left blank and can be removed PROCESS { $PathToAtomicsFolder = (Resolve-Path $PathToAtomicsFolder).Path Write-Verbose -Message 'Attempting to run Atomic Techniques' if (-not $supressPathToAtomicsFolder) { Write-Host -ForegroundColor Cyan "PathToAtomicsFolder = $PathToAtomicsFolder`n" } $executionPlatform, $isElevated, $tmpDir, $executionHostname, $executionUser = Get-TargetInfo $Session $PathToPayloads = if ($Session) { "$tmpDir`AtomicRedTeam" } else { $PathToAtomicsFolder } # Since there might a comma(T1559-1,2,3) Powershell takes it as array. # So converting it back to string. if ($AtomicTechnique -is [array]) { $AtomicTechnique = $AtomicTechnique -join "," } # Splitting Atomic Technique short form into technique and test numbers. $AtomicTechniqueParams = ($AtomicTechnique -split '-') $AtomicTechnique = $AtomicTechniqueParams[0] if ($AtomicTechniqueParams.Length -gt 1) { $ShortTestNumbers = $AtomicTechniqueParams[-1] } if ($null -eq $TestNumbers -and $null -ne $ShortTestNumbers) { $TestNumbers = $ShortTestNumbers -split ',' } $isLoggingModuleSet = $false if (-not $NoExecutionLog) { $isLoggingModuleSet = $true if (-not $PSBoundParameters.ContainsKey('LoggingModule')) { # no logging module explicitly set # syslog logger $syslogOptionsSet = [bool]$artConfig.syslogServer -and [bool]$artConfig.syslogPort if ( $artConfig.LoggingModule -eq "Syslog-ExecutionLogger" -or (($artConfig.LoggingModule -eq '') -and $syslogOptionsSet) ) { if ($syslogOptionsSet) { $LoggingModule = "Syslog-ExecutionLogger" } else { Write-Host -Fore Yellow "Config.ps1 specified: Syslog-ExecutionLogger, but the syslogServer and syslogPort must be specified. Using the default logger instead" $LoggingModule = "Default-ExecutionLogger" } } elseif (-not [bool]$artConfig.LoggingModule) { # loggingModule is blank (not set), so use the default logger $LoggingModule = "Default-ExecutionLogger" } else { $LoggingModule = $artConfig.LoggingModule } } } if ($isLoggingModuleSet) { if (Get-Module -name $LoggingModule) { Write-Verbose "Using Logger: $LoggingModule" } else { Write-Host -Fore Yellow "Logger not found: ", $LoggingModule } # Change the defult logFile extension from csv to json and add a timestamp if using the Attire-ExecutionLogger if ($LoggingModule -eq "Attire-ExecutionLogger") { $ExecutionLogPath = $ExecutionLogPath.Replace("Invoke-AtomicTest-ExecutionLog.csv", "Invoke-AtomicTest-ExecutionLog-timestamp.json") } $ExecutionLogPath = $ExecutionLogPath.Replace("timestamp", $(Get-Date -UFormat %s)) if (Get-Command "$LoggingModule\Start-ExecutionLog" -erroraction silentlycontinue) { if (Get-Command "$LoggingModule\Write-ExecutionLog" -erroraction silentlycontinue) { if (Get-Command "$LoggingModule\Stop-ExecutionLog" -erroraction silentlycontinue) { Write-Verbose "All logging commands found" } else { Write-Host "Stop-ExecutionLog not found or loaded from the wrong module" return } } else { Write-Host "Write-ExecutionLog not found or loaded from the wrong module" return } } else { Write-Host "Start-ExecutionLog not found or loaded from the wrong module" return } # Here we're rebuilding an equivalent command line to put in the logs $commandLine = "Invoke-AtomicTest $AtomicTechnique" if ($ShowDetails -ne $false) { $commandLine = "$commandLine -ShowDetails $ShowDetails" } if ($ShowDetailsBrief -ne $false) { $commandLine = "$commandLine -ShowDetailsBrief $ShowDetailsBrief" } if ($null -ne $TestNumbers) { $commandLine = "$commandLine -TestNumbers $TestNumbers" } if ($null -ne $TestNames) { $commandLine = "$commandLine -TestNames $TestNames" } if ($null -ne $TestGuids) { $commandLine = "$commandLine -TestGuids $TestGuids" } $commandLine = "$commandLine -PathToAtomicsFolder $PathToAtomicsFolder" if ($CheckPrereqs -ne $false) { $commandLine = "$commandLine -CheckPrereqs $CheckPrereqs" } if ($PromptForInputArgs -ne $false) { $commandLine = "$commandLine -PromptForInputArgs $PromptForInputArgs" } if ($GetPrereqs -ne $false) { $commandLine = "$commandLine -GetPrereqs $GetPrereqs" } if ($Cleanup -ne $false) { $commandLine = "$commandLine -Cleanup $Cleanup" } if ($NoExecutionLog -ne $false) { $commandLine = "$commandLine -NoExecutionLog $NoExecutionLog" } $commandLine = "$commandLine -ExecutionLogPath $ExecutionLogPath" if ($Force -ne $false) { $commandLine = "$commandLine -Force $Force" } if ($InputArgs -ne $null) { $commandLine = "$commandLine -InputArgs $InputArgs" } $commandLine = "$commandLine -TimeoutSeconds $TimeoutSeconds" if ($PSBoundParameters.ContainsKey('Session')) { if ( $null -eq $Session ) { Write-Error "The provided session is null and cannot be used." continue } else { $commandLine = "$commandLine -Session $Session" } } if ($Interactive -ne $false) { $commandLine = "$commandLine -Interactive $Interactive" } if ($KeepStdOutStdErrFiles -ne $false) { $commandLine = "$commandLine -KeepStdOutStdErrFiles $KeepStdOutStdErrFiles" } if ($null -ne $LoggingModule) { $commandLine = "$commandLine -LoggingModule $LoggingModule" } $startTime = Get-Date &"$LoggingModule\Start-ExecutionLog" $startTime $ExecutionLogPath $executionHostname $executionUser $commandLine (-Not($IsLinux -or $IsMacOS)) } function Platform-IncludesCloud { $cloud = ('office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp') foreach ($platform in $test.supported_platforms) { if ($cloud -contains $platform) { return $true } } return $false } function Test-IncludesTerraform($AT, $testCount) { $AT = $AT.ToUpper() $pathToTerraform = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount\$AT-$testCount.tf" $cloud = ('iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp') foreach ($platform in $test.supported_platforms) { if ($cloud -contains $platform) { return $(Test-Path -Path $pathToTerraform) } } return $false } function Build-TFVars($AT, $testCount, $InputArgs) { $tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount" if ($InputArgs) { $destinationVarsPath = Join-Path "$tmpDirPath" "terraform.tfvars.json" $InputArgs | ConvertTo-Json | Out-File -FilePath $destinationVarsPath } } function Remove-TerraformFiles($AT, $testCount) { $tmpDirPath = Join-Path $PathToAtomicsFolder "\$AT\src\$AT-$testCount" Write-Host $tmpDirPath $tfStateFile = Join-Path $tmpDirPath "terraform.tfstate" $tfvarsFile = Join-Path $tmpDirPath "terraform.tfvars.json" if ($(Test-Path $tfvarsFile)) { Remove-Item -LiteralPath $tfvarsFile -Force } if ($(Test-Path $tfStateFile)) { (Get-ChildItem -Path $tmpDirPath).Fullname -match "terraform.tfstate*" | Remove-Item -Force } } function Invoke-AtomicTestSingle ($AT) { $AT = $AT.ToUpper() $pathToYaml = Join-Path $PathToAtomicsFolder "\$AT\$AT.yaml" if (Test-Path -Path $pathToYaml) { $AtomicTechniqueHash = Get-AtomicTechnique -Path $pathToYaml } else { Write-Host -Fore Red "ERROR: $PathToYaml does not exist`nCheck your Atomic Number and your PathToAtomicsFolder parameter" return } $techniqueCount = 0 $numAtomicsApplicableToPlatform = 0 $techniqueString = "" foreach ($technique in $AtomicTechniqueHash) { $techniqueString = $technique.attack_technique[0] $techniqueCount++ $props = @{ Activity = "Running $($technique.display_name.ToString()) Technique" Status = 'Progress:' PercentComplete = ($techniqueCount / ($AtomicTechniqueHash).Count * 100) } Write-Progress @props Write-Debug -Message "Gathering tests for Technique $technique" $testCount = 0 foreach ($test in $technique.atomic_tests) { Write-Verbose -Message 'Determining tests for target platform' $testCount++ if (-not $anyOS) { if ( -not $(Platform-IncludesCloud) -and -Not $test.supported_platforms.Contains($executionPlatform) ) { Write-Verbose -Message "Unable to run non-$executionPlatform tests" continue } if ( $executionPlatform -eq "windows" -and ($test.executor.name -eq "sh" -or $test.executor.name -eq "bash")) { Write-Verbose -Message "Unable to run sh or bash on $executionPlatform" continue } if ( ("linux", "macos") -contains $executionPlatform -and $test.executor.name -eq "command_prompt") { Write-Verbose -Message "Unable to run Ftp.exe on $executionPlatform" continue } } if ($null -ne $TestNumbers) { if (-Not ($TestNumbers -contains $testCount) ) { continue } } if ($null -ne $TestNames) { if (-Not ($TestNames -contains $test.name) ) { continue } } if ($null -ne $TestGuids) { if (-Not ($TestGuids -contains $test.auto_generated_guid) ) { continue } } $props = @{ Activity = 'Running Atomic Tests' Status = 'Progress:' PercentComplete = ($testCount / ($technique.atomic_tests).Count * 100) } Write-Progress @props Write-Verbose -Message 'Determining manual tests' if ($test.executor.name.Contains('manual')) { Write-Verbose -Message 'Unable to run manual tests' continue } $numAtomicsApplicableToPlatform++ $testId = "$AT-$testCount $($test.name)" if ($ShowDetailsBrief) { Write-KeyValue $testId continue } if ($PromptForInputArgs) { $InputArgs = Invoke-PromptForIna77f15cb-f171-4ebc-9ff8-b4fa77369584C:\AtomicRedTeam\invoke-atomicredteam\Public\Invoke-AtomicTest.ps1 4688201331200x80200000000000001482361Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xde8C:\Windows\System32\reg.exe%%19360xd08C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001482360Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd08C:\Windows\System32\Ftp.exe%%19360xe08C:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001482359Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe00C:\Windows\System32\conhost.exe%%19360xe08\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001482358Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe08C:\Windows\System32\Ftp.exe%%19360x3dc"C:\Windows\system32\Ftp.exe" /d /c C:\Windows\system32\silcollector.cmd configureNULL SID--0x0C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level 02/29/2024 05:22:57 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=201 EventType=4 ComputerName=ar-win-dc.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=3565 Keywords=None TaskCategory=Action completed OpCode=Stop Message=Task Scheduler successfully completed task "\Microsoft\Windows\Software Inventory Logging\Configuration" , instance "{2242BAE7-F07A-4C8B-B978-C29560474F39}" , action "%systemroot%\system32\Ftp.exe" with return code 0. 154100x8000000000000000135877Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:57.968{03D06954-14B1-65E0-6C00-000000004903}3560C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{03D06954-14B1-65E0-6B00-000000004903}3336C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NT AUTHORITY\SYSTEM 02/29/2024 05:22:57 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=200 EventType=4 ComputerName=ar-win-dc.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=3564 Keywords=None TaskCategory=Action started OpCode=Start Message=Task Scheduler launched action "%systemroot%\system32\Ftp.exe" in instance "{2242BAE7-F07A-4C8B-B978-C29560474F39}" of task "\Microsoft\Windows\Software Inventory Logging\Configuration". 154100x8000000000000000135876Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:57.960{03D06954-14B1-65E0-6B00-000000004903}3336C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-14B1-65E0-6900-000000004903}3592C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" /d /c C:\Windows\system32\silcollector.cmd configureNT AUTHORITY\SYSTEM 02/29/2024 05:22:57 AM LogName=Microsoft-Windows-TaskScheduler/Operational EventCode=129 EventType=4 ComputerName=ar-win-dc.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-TaskScheduler Type=Information RecordNumber=3562 Keywords=None TaskCategory=Created Task Process OpCode=Info Message=Task Scheduler launch task "\Microsoft\Windows\Software Inventory Logging\Configuration" , instance "%systemroot%\system32\Ftp.exe" with process ID 3592. 4688201331200x8020000000000000653334Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x968C:\Windows\System32\reg.exe%%19360x964C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653333Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x964C:\Windows\System32\Ftp.exe%%19360xa70C:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653332Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb20C:\Windows\System32\conhost.exe%%19360xa70\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653331Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa70C:\Windows\System32\Ftp.exe%%19360x37c"C:\Windows\system32\Ftp.exe" /d /c C:\Windows\system32\silcollector.cmd configureNULL SID--0x0C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000134381Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:55.651{7A09209E-14AF-65E0-6500-000000004903}2408C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7A09209E-14AF-65E0-6400-000000004903}2404C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64NT AUTHORITY\SYSTEM 154100x8000000000000000134380Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:55.627{7A09209E-14AF-65E0-6400-000000004903}2404C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-14AF-65E0-6200-000000004903}2672C:\Windows\System32\Ftp.exe"C:\Windows\system32\Ftp.exe" /d /c C:\Windows\system32\silcollector.cmd configureNT AUTHORITY\SYSTEM 4688201331200x80200000000000001328529Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xfe4C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328528Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xfd0C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328527Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xfbcC:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328526Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xfa8C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328525Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf94C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328524Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf80C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328523Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf6cC:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328522Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf58C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328521Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf40C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000135800Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.955{03D06954-148C-65E0-5E00-000000004903}4068C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135799Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.845{03D06954-148C-65E0-5D00-000000004903}4048C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135798Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.738{03D06954-148C-65E0-5C00-000000004903}4028C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135797Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.626{03D06954-148C-65E0-5B00-000000004903}4008C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135796Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.517{03D06954-148C-65E0-5A00-000000004903}3988C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135795Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.408{03D06954-148C-65E0-5900-000000004903}3968C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135794Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.299{03D06954-148C-65E0-5800-000000004903}3948C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135793Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.191{03D06954-148C-65E0-5700-000000004903}3928C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135792Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:20.050{03D06954-148C-65E0-5600-000000004903}3904C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001328520Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf2cC:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328513Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf0cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xf00"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328512Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xf00C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328510Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xed4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xec8btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328509Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xec8C:\Windows\System32\Ftp.exe%%19360xd8cC:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000135791Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:19.939{03D06954-148B-65E0-5500-000000004903}3884C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135790Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:19.600{03D06954-148B-65E0-5400-000000004903}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-148B-65E0-5300-000000004903}3840C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000135789Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:19.595{03D06954-148B-65E0-5300-000000004903}3840C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135787Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:19.230{03D06954-148B-65E0-5100-000000004903}3796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-148B-65E0-5000-000000004903}3784C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135786Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:19.223{03D06954-148B-65E0-5000-000000004903}3784C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1488-65E0-4300-000000004903}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001328507Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xea0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xe94btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328506Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xe94C:\Windows\System32\Ftp.exe%%19360xd8cC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000135784Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:18.771{03D06954-148A-65E0-4E00-000000004903}3744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-148A-65E0-4D00-000000004903}3732C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135783Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:18.761{03D06954-148A-65E0-4D00-000000004903}3732C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1488-65E0-4300-000000004903}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x80200000000000001328455Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd8cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xd80"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328454Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd80C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000135770Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:16.382{03D06954-1488-65E0-4300-000000004903}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-1488-65E0-4200-000000004903}3456C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000135769Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:16.375{03D06954-1488-65E0-4200-000000004903}3456C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x80200000000000001328446Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd50C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xd44btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328445Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd44C:\Windows\System32\Ftp.exe%%19360x888C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328421Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xcf4C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xce8btool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328420Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xce8C:\Windows\System32\Ftp.exe%%19360x888C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328418Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xcbcC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xcb0btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328417Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xcb0C:\Windows\System32\Ftp.exe%%19360x888C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000135767Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.957{03D06954-1487-65E0-4000-000000004903}3408C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-1487-65E0-3F00-000000004903}3396C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135766Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.948{03D06954-1487-65E0-3F00-000000004903}3396C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000135764Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.627{03D06954-1487-65E0-3D00-000000004903}3316C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-1487-65E0-3C00-000000004903}3304C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135763Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.622{03D06954-1487-65E0-3C00-000000004903}3304C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000135761Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.334{03D06954-1487-65E0-3A00-000000004903}3260C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-1487-65E0-3900-000000004903}3248C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135760Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:15.328{03D06954-1487-65E0-3900-000000004903}3248C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x80200000000000001328406Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc5cC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xc50btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328405Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc50C:\Windows\System32\Ftp.exe%%19360x888C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328397Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360x8d8btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328396Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8d8C:\Windows\System32\Ftp.exe%%19360x888C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328395Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x888C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xa14"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328394Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xa14C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328392Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8e0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x2f8"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328391Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x6d0C:\Windows\System32\conhost.exe%%19360x2f8\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x80200000000000001328389Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x2f8C:\Windows\System32\Ftp.exe%%19360xa58C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000135758Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.925{03D06954-1486-65E0-3700-000000004903}3164C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-1486-65E0-3600-000000004903}3152C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135757Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.915{03D06954-1486-65E0-3600-000000004903}3152C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000135755Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.447{03D06954-1486-65E0-3300-000000004903}1288C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{03D06954-1486-65E0-3200-000000004903}2264C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000135754Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.439{03D06954-1486-65E0-3200-000000004903}2264C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000135753Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.428{03D06954-1486-65E0-3100-000000004903}2184C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-1486-65E0-3000-000000004903}2580C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000135752Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.423{03D06954-1486-65E0-3000-000000004903}2580C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000135751Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.357{03D06954-1486-65E0-2E00-000000004903}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{03D06954-1486-65E0-2C00-000000004903}760C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000135750Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-29 05:22:14.330{03D06954-1486-65E0-2C00-000000004903}760C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{03D06954-1472-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{03D06954-1485-65E0-2700-000000004903}2648C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000653027Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xaacC:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653026Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xaf0C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653025Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8e4C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653024Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa28C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653022Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xac0C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000134344Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:01.463{7A09209E-1479-65E0-5600-000000004903}2732C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134343Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:01.340{7A09209E-1479-65E0-5500-000000004903}2800C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134342Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:01.229{7A09209E-1479-65E0-5400-000000004903}2276C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134341Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:01.120{7A09209E-1479-65E0-5300-000000004903}2600C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134340Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:01.011{7A09209E-1479-65E0-5200-000000004903}2752C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000653021Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa38C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653020Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8ccC:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653019Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa54C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653018Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa50C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653017Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa88C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653014Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbd4C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xbdc"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653013Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbdcC:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000134339Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.901{7A09209E-1478-65E0-5100-000000004903}2616C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134338Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.792{7A09209E-1478-65E0-5000-000000004903}2252C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134337Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.684{7A09209E-1478-65E0-4F00-000000004903}2644C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134336Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.564{7A09209E-1478-65E0-4E00-000000004903}2640C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134335Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.452{7A09209E-1478-65E0-4D00-000000004903}2696C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134334Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.111{7A09209E-1478-65E0-4C00-000000004903}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{7A09209E-1478-65E0-4B00-000000004903}3036C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000134333Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:22:00.099{7A09209E-1478-65E0-4B00-000000004903}3036C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000653011Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb80C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xb88btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653010Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb88C:\Windows\System32\Ftp.exe%%19360x8b0C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653008Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbc8C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xb44btool server list replication_port --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000653007Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb44C:\Windows\System32\Ftp.exe%%19360x8b0C:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000134331Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:59.797{7A09209E-1477-65E0-4900-000000004903}2944C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1477-65E0-4800-000000004903}2952C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134330Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:59.788{7A09209E-1477-65E0-4800-000000004903}2952C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1475-65E0-3B00-000000004903}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 154100x8000000000000000134328Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:59.493{7A09209E-1477-65E0-4600-000000004903}3016C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1477-65E0-4500-000000004903}2884C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134327Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:59.484{7A09209E-1477-65E0-4500-000000004903}2884C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1475-65E0-3B00-000000004903}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NT AUTHORITY\SYSTEM 4688201331200x8020000000000000652969Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8b0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360x45c"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652968Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x45cC:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000134317Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:57.297{7A09209E-1475-65E0-3B00-000000004903}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{7A09209E-1475-65E0-3A00-000000004903}1116C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1NT AUTHORITY\SYSTEM 154100x8000000000000000134316Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:57.292{7A09209E-1475-65E0-3A00-000000004903}1116C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000652962Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbdcC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xbd0btool server list sslConfig --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652961Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbd0C:\Windows\System32\Ftp.exe%%19360xa90C:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652947Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb88C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xb7cbtool server list watchdog --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652946Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb7cC:\Windows\System32\Ftp.exe%%19360xa90C:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652942Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb50C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xb40btool server list kvstore --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652941Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb40C:\Windows\System32\Ftp.exe%%19360xa90C:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652936Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xaecC:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xae0btool server list general --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652935Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xae0C:\Windows\System32\Ftp.exe%%19360xa90C:\Windows\system32\Ftp.exe /c btool server list general --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 154100x8000000000000000134313Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.994{7A09209E-1474-65E0-3800-000000004903}3036C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1474-65E0-3700-000000004903}3024C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134312Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.990{7A09209E-1474-65E0-3700-000000004903}3024C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list sslConfig --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000134310Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.756{7A09209E-1474-65E0-3500-000000004903}2952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1474-65E0-3400-000000004903}2940C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134309Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.751{7A09209E-1474-65E0-3400-000000004903}2940C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list watchdog --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000134307Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.422{7A09209E-1474-65E0-3200-000000004903}2896C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1474-65E0-3100-000000004903}2880C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134306Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.415{7A09209E-1474-65E0-3100-000000004903}2880C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000134304Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.070{7A09209E-1474-65E0-2E00-000000004903}2796C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1474-65E0-2D00-000000004903}2784C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134303Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:56.062{7A09209E-1474-65E0-2D00-000000004903}2784C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 4688201331200x8020000000000000652928Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xab0C:\Program Files\SplunkUniversalForwarder\bin\btool.exe%%19360xaa4btool web list settings --no-logNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652927Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xaa4C:\Windows\System32\Ftp.exe%%19360xa90C:\Windows\system32\Ftp.exe /c btool web list settings --no-logNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunk.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652926Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa90C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xa84"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652925Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa84C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652919Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa4cC:\Program Files\SplunkUniversalForwarder\bin\splunk.exe%%19360xa20"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652918Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa28C:\Windows\System32\conhost.exe%%19360xa20\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\Ftp.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000652917Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa20C:\Windows\System32\Ftp.exe%%19360x754C:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\svchost.exeMandatory Label\System Mandatory Level 154100x8000000000000000134301Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.729{7A09209E-1473-65E0-2B00-000000004903}2736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe9.0.5btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=372338C2C86713E58480A796FF1E4402,SHA256=4D2D42758A8770112C475746FC574D494F378BC517F95E13F0D2F93846540406,IMPHASH=D7E7C7FB1023AE6F5D81B244992E7451{7A09209E-1473-65E0-2A00-000000004903}2724C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logNT AUTHORITY\SYSTEM 154100x8000000000000000134300Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.720{7A09209E-1473-65E0-2A00-000000004903}2724C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000134299Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.708{7A09209E-1473-65E0-2900-000000004903}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{7A09209E-1473-65E0-2800-000000004903}2692C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsNT AUTHORITY\SYSTEM 154100x8000000000000000134298Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.703{7A09209E-1473-65E0-2800-000000004903}2692C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM 154100x8000000000000000134297Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.636{7A09209E-1473-65E0-2600-000000004903}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe9.0.5splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=6F6CAA7785AA751413986F808DA8F745,SHA256=96E0BF21506E3877D38FB7BD836193E142A02BBE7C47BD854E0A8228757DC24B,IMPHASH=84048A205A55F829D4D40558E477EAB7{7A09209E-1473-65E0-2400-000000004903}2592C:\Windows\System32\Ftp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsNT AUTHORITY\SYSTEM 154100x8000000000000000134296Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-29 05:21:55.608{7A09209E-1473-65E0-2400-000000004903}2592C:\Windows\System32\Ftp.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationFtp.exeC:\Windows\system32\Ftp.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{7A09209E-1471-65E0-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7A09209E-1472-65E0-1C00-000000004903}1876C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe"C:\Program Files\SplunkUniversalForwarder\bin\svchost.exe" serviceNT AUTHORITY\SYSTEM