4104 1 5 2 15 0x0 236879 Microsoft-Windows-PowerShell/Operational WIN10-21H1.snapattack.labs 1 1 install-module azuread -allowclobber -force 92c03a57-9d99-410b-8e98-2528edcd65bb 4688 2 0 13312 0 0x8020000000000000 464015 Security win10-base S-1-5-21-1103654211-1238870038-1204021333-1002 user WIN10-BASE 0x7db43 0x16a4 C:\Windows\System32\net.exe %%1937 0x9f8 "C:\WINDOWS\system32\net.exe" user badguy password123 /ADD S-1-0-0 - - 0x0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe S-1-16-12288 1 5 4 1 0 0x8000000000000000 20158 Microsoft-Windows-Sysmon/Operational DC01.snapattack.labs - 2024-05-10 14:48:21.863 A5CDDB11-33B5-663E-7D25-000000000800 12020 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.20348.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -Command "Invoke-Command -ScriptBlock {&'C:\Program Files\SMS_CCM\ScriptStore\5A1519E8-CA25-4B6F-BE58-8218199007B0_0A2041ECFF3331313ED11305D0E43C0D99F03D8AF786396A0F645E6CF30E928C.ps1' | ConvertTo-Json -Compress }" C:\Program Files\SMS_CCM\ScriptStore\ NT AUTHORITY\SYSTEM A5CDDB11-6587-663A-E703-000000000000 0x3e7 0 System MD5=2E0CCB27064856E3D55017FA2D33A7B9,SHA256=1C84C8632C5269F24876ED9F49FA810B49F77E1E92E8918FC164C34B020F9A94,IMPHASH=BF7A6E7A62C3F5B2E8E069438AC1DD3D A5CDDB11-77AA-663A-4B0B-000000000800 5776 C:\Program Files\SMS_CCM\CcmExec.exe "C:\Program Files\SMS_CCM\CcmExec.exe" NT AUTHORITY\SYSTEM 4104 1 5 2 15 0x0 236879 Microsoft-Windows-PowerShell/Operational WIN10-21H1.snapattack.labs 1 1 install-module azuread -allowclobber -force 92c03a57-9d99-410b-8e98-2528edcd65bb 4688 2 0 13312 0 0x8020000000000000 464015 Security win10-base S-1-5-21-1103654211-1238870038-1204021333-1002 user WIN10-BASE 0x7db43 0x16a4 C:\Windows\System32\net.exe %%1937 0x9f8 "C:\WINDOWS\system32\net.exe" user badguy password123 /ADD S-1-0-0 - - 0x0 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe S-1-16-12288 1 5 4 1 0 0x8000000000000000 20158 Microsoft-Windows-Sysmon/Operational DC01.snapattack.labs - 2024-05-10 14:48:21.863 A5CDDB11-33B5-663E-7D25-000000000800 12020 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10.0.20348.1 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -NonInteractive -NoProfile -ExecutionPolicy RemoteSigned -Command "Invoke-Command -ScriptBlock {&'C:\Program Files\SMS_CCM\ScriptStore\5A1519E8-CA25-4B6F-BE58-8218199007B0_0A2041ECFF3331313ED11305D0E43C0D99F03D8AF786396A0F645E6CF30E928C.ps1' | ConvertTo-Json -Compress }" C:\Program Files\SMS_CCM\ScriptStore\ NT AUTHORITY\SYSTEM A5CDDB11-6587-663A-E703-000000000000 0x3e7 0 System MD5=2E0CCB27064856E3D55017FA2D33A7B9,SHA256=1C84C8632C5269F24876ED9F49FA810B49F77E1E92E8918FC164C34B020F9A94,IMPHASH=BF7A6E7A62C3F5B2E8E069438AC1DD3D A5CDDB11-77AA-663A-4B0B-000000000800 5776 C:\Program Files\SMS_CCM\CcmExec.exe "C:\Program Files\SMS_CCM\CcmExec.exe" NT AUTHORITY\SYSTEM