4634001254500x8020000000000000211483Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f8e3f3 4624201254400x8020000000000000211482Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f8e3f3KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-fe80::25f1:ea03:8efd:c46255087%%1833---%%18430x0%%1842 4672001254800x8020000000000000211481Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f8e3fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000211480Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f8cc43 4624201254400x8020000000000000211479Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f8cc43KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-fe80::25f1:ea03:8efd:c46255086%%1833---%%18430x0%%1842 4672001254800x8020000000000000211478Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f8cc4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000211477Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f86d33 4634001254500x8020000000000000211476Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f87cb3 4634001254500x8020000000000000211475Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f881a3 4624201254400x8020000000000000211474Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f88c53KerberosKerberos-{553f8156-38a7-582b-3aab-d2412c30b723}--00x0-fe80::25f1:ea03:8efd:c46255084%%1840---%%18430x0%%1842 4672001254800x8020000000000000211473Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f88c5SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000211472Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f881a3KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-10.0.1.1455083%%1833---%%18430x0%%1842 4672001254800x8020000000000000211471Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f881aSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000211470Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f87cb3KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000211469Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f87cbSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000211468Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f86d33KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-fe80::25f1:ea03:8efd:c46255082%%1833---%%18430x0%%1842 4672001254800x8020000000000000211467Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f86d3SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000211466Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f86ae3KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-fe80::25f1:ea03:8efd:c46255081%%1833---%%18430x0%%1842 4672001254800x8020000000000000211465Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f86aeSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000019047Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:27.950{54d3457e-e1ef-6421-e204-000000004902}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211464Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000211463Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1c1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 22542200x800000000000000019046Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:23.609{54d3457e-e1dc-6421-dc04-000000004902}6564wpad9003-C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICE 154100x800000000000000019045Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:26.978{54d3457e-e1ee-6421-e104-000000004902}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019044Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:26.208{54d3457e-e1ee-6421-e004-000000004902}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211462Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211461Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f71cc3 4624201254400x8020000000000000211460Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f71cc3KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-::155079%%1833---%%18430x0%%1842 4672001254800x8020000000000000211459Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f71ccSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000211458Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1890C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019043Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:24.390{54d3457e-e1ec-6421-df04-000000004902}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019042Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:21.949{54d3457e-e1e9-6421-de04-000000004902}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211457Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509B11","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3724629Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000015805Applicationar-win-6.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509B11","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3724629Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3096","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271EE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2623382Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3096","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271CA","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2616148Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"1552","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271C9","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2615718Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3184","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42718D","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2502211Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"4980","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B6A8","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6757419Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"1100","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B6A6","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6756218Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"1100","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B689","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6745427Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"4980","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B641","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6652987Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029749Applicationar-win-5.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3924","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427015","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1496999Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029748Applicationar-win-5.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42700C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1495819Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029747Applicationar-win-5.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426FEF","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1487312Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029746Applicationar-win-5.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426FBF","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1370985Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029942Applicationar-win-3.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{A6251F42-60C1-0000-4E1F-25A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"4992","FileAge":"530d11h21m56s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4FFF81","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1905657Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029941Applicationar-win-3.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{A6251F42-60C1-0000-4E1F-25A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"4992","FileAge":"530d11h21m56s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4FFF6D","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1897723Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029940Applicationar-win-3.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{A6251F42-60C1-0000-4E1F-25A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2148","FileAge":"530d11h21m56s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4FFF48","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1876005Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029939Applicationar-win-3.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{A6251F42-60C1-0000-4E1F-25A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2148","FileAge":"530d11h21m56s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4FFF28","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1807864Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029749Applicationar-win-9.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3096","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271EE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2623382Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029748Applicationar-win-9.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3096","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271CA","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2616148Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000029747Applicationar-win-9.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"1552","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4271C9","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2615718Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000015802Applicationar-win-10.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"4980","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B6A8","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6757419Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000015801Applicationar-win-10.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"1100","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B6A6","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6756218Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000015800Applicationar-win-10.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"1100","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B689","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6745427Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 99300x8000000000000015799Applicationar-win-10.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-10","Correlation_ActivityID":"{A76FEDEB-60C1-0000-64EE-6FA7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"616","Execution_ThreadID":"4980","FileAge":"166d01h50m16s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x50B641","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.6652987Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} 4634001254500x8020000000000000148952Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509b113 5145001281100x8020000000000000148951Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455067\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000148950Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455070\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000148949Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509ac63 4627001255400x8020000000000000148948Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x509b11311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000148947Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x509b113KerberosKerberos-{345c4983-dc13-91f8-076f-b703c066ad6d}--00x0-10.0.1.1455069%%1833---%%18430x0%%1842 4672001254800x8020000000000000148946Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509b11SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4634001254500x8020000000000000148945Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509ae43 5145001281100x8020000000000000148944Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455067\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4627001255400x8020000000000000148943Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x509ae4311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000148942Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x509ae43KerberosKerberos-{345c4983-dc13-91f8-076f-b703c066ad6d}--00x0-10.0.1.1455070%%1833---%%18430x0%%1842 4672001254800x8020000000000000148941Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509ae4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000148940Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x509ac6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000148939Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x509ac63KerberosKerberos-{345c4983-dc13-91f8-076f-b703c066ad6d}--00x0-10.0.1.1455068%%1833---%%18430x0%%1842 5140101280800x8020000000000000148938Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455067\\*\ADMIN$\??\C:\Windows0x1%%4416 4672001254800x8020000000000000148937Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509ac6SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000148936Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455067\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000148935Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87File10.0.1.1455067\\*\IPC$0x1%%4416 4627001255400x8020000000000000148934Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x509a87311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000148933Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x509a873KerberosKerberos-{345c4983-dc13-91f8-076f-b703c066ad6d}--00x0-10.0.1.1455067%%1833---%%18430x0%%1842 4672001254800x8020000000000000148932Securityar-win-6.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x509a87SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378658Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455063\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378657Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455064\\*\C$\??\C:\0x1%%4416 5145001281100x8020000000000000378656Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455064\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4634001254500x8020000000000000378655Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4273b03 4634001254500x8020000000000000378654Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4273c83 5140101280800x8020000000000000378653Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455063\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378652Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4273c8311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378651Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4273c83KerberosKerberos-{20A648B7-3FF8-7FEF-3164-A0E2FD0C2CC9}--00x0-10.0.1.1455066%%1833---%%18430x0%%1842 4672001254800x8020000000000000378650Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4273c8SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4634001254500x8020000000000000378649Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4273923 4627001255400x8020000000000000378648Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4273b0311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378647Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4273b03KerberosKerberos-{20A648B7-3FF8-7FEF-3164-A0E2FD0C2CC9}--00x0-10.0.1.1455064%%1833---%%18430x0%%1842 4672001254800x8020000000000000378646Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4273b0SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378645Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x427392311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378644Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4273923KerberosKerberos-{20A648B7-3FF8-7FEF-3164-A0E2FD0C2CC9}--00x0-10.0.1.1455065%%1833---%%18430x0%%1842 4672001254800x8020000000000000378643Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427392SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378642Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455063\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378641Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369File10.0.1.1455063\\*\IPC$0x1%%4416 4627001255400x8020000000000000378640Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x427369311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378639Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4273693KerberosKerberos-{20A648B7-3FF8-7FEF-3164-A0E2FD0C2CC9}--00x0-10.0.1.1455063%%1833---%%18430x0%%1842 4672001254800x8020000000000000378638Securityar-win-4.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427369SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4634001254500x8020000000000000378729Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4270153 5145001281100x8020000000000000378728Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455071\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378727Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455074\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378726Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42700c3 4627001255400x8020000000000000378725Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x427015311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378724Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4270153KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455073%%1833---%%18430x0%%1842 4627001255400x8020000000000000378723Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x42700c311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4634001254500x8020000000000000378722Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fef3 4624201254400x8020000000000000378721Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x42700c3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455072%%1833---%%18430x0%%1842 4672001254800x8020000000000000378720Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x427015SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378719Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42700cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378718Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455071\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4627001255400x8020000000000000378717Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426fef311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378716Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x426fef3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455074%%1833---%%18430x0%%1842 4672001254800x8020000000000000378715Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fefSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5140101280800x8020000000000000378714Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455071\\*\ADMIN$\??\C:\Windows0x1%%4416 5145001281100x8020000000000000378713Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455071\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378712Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfFile10.0.1.1455071\\*\IPC$0x1%%4416 4627001255400x8020000000000000378711Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426fbf311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378710Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x426fbf3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455071%%1833---%%18430x0%%1842 4672001254800x8020000000000000378709Securityar-win-5.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426fbfSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"2164","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426978","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1520932Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"2164","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426964","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1513588Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"724","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426947","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1505961Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"724","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42691C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1435058Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 5145001281100x8020000000000000380434Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455075\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000380433Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455077\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000380432Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff483 4634001254500x8020000000000000380431Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff813 4634001254500x8020000000000000380430Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff6d3 5145001281100x8020000000000000380429Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455077\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000380428Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455075\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000380427Securityar-win-3.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4fff81311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000380426Securityar-win-3.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4fff813KerberosKerberos-{DA728412-3944-5CFF-C5D1-5DC273DECDD3}--00x0-10.0.1.1455078%%1833---%%18430x0%%1842 4672001254800x8020000000000000380425Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff81SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-51.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-12.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-13.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-14.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-15.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-16.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-17.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-18.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-19.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-20.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-21.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-22.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-23.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-24.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-25.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-26.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-27.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-28.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-11.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-29.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-30.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-31.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-32.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-33.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-34.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-35.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-36.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-37.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-38.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-39.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-40.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-41.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-42.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-43.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-44.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-45.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-46.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-47.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-48.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-49.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378426Securityar-win-50.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000380424Securityar-win-3.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4fff6d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000380423Securityar-win-3.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4fff6d3KerberosKerberos-{DA728412-3944-5CFF-C5D1-5DC273DECDD3}--00x0-10.0.1.1455077%%1833---%%18430x0%%1842 4672001254800x8020000000000000380422Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff6dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000380421Securityar-win-3.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4fff48311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000380420Securityar-win-3.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4fff483KerberosKerberos-{DA728412-3944-5CFF-C5D1-5DC273DECDD3}--00x0-10.0.1.1455076%%1833---%%18430x0%%1842 4672001254800x8020000000000000380419Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff48SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000380418Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455075\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000380417Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28File10.0.1.1455075\\*\IPC$0x1%%4416 4627001255400x8020000000000000380416Securityar-win-3.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4fff28311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000380415Securityar-win-3.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4fff283KerberosKerberos-{DA728412-3944-5CFF-C5D1-5DC273DECDD3}--00x0-10.0.1.1455075%%1833---%%18430x0%%1842 4672001254800x8020000000000000380414Securityar-win-3.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4fff28SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4634001254500x8020000000000000378714Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271ee3 5145001281100x8020000000000000378713Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455059\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 4634001254500x8020000000000000378712Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271c93 5140101280800x8020000000000000378711Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455061\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378710Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271ca3 4627001255400x8020000000000000378709Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4271ee311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378708Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4271ee3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455062%%1833---%%18430x0%%1842 4672001254800x8020000000000000378707Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271eeSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378706Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4271ca311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378705Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4271ca3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455060%%1833---%%18430x0%%1842 4627001255400x8020000000000000378704Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4271c9311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378703Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4271c93KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455061%%1833---%%18430x0%%1842 4672001254800x8020000000000000378702Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271c9SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000378701Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4271caSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378700Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455059\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378699Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455059\\*\ADMIN$\??\C:\Windows0x1%%4416 5145001281100x8020000000000000378698Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455059\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378697Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dFile10.0.1.1455059\\*\IPC$0x1%%4416 4627001255400x8020000000000000378696Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x42718d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378695Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x42718d3KerberosKerberos-{2547DF68-DA2E-D752-2C40-A0A72A8B1276}--00x0-10.0.1.1455059%%1833---%%18430x0%%1842 4672001254800x8020000000000000378694Securityar-win-9.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42718dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 99300x8000000000000029746Applicationar-win-9.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-9","Correlation_ActivityID":"{A6C481AA-60C1-0001-B781-C4A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"604","Execution_ThreadID":"3184","FileAge":"530d11h22m01s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42718D","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.2502211Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 5145001281100x8020000000000000378483Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455051\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378482Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455053\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378481Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295be3 4634001254500x8020000000000000378480Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295f23 5145001281100x8020000000000000378479Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455053\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4634001254500x8020000000000000378478Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295de3 5140101280800x8020000000000000378477Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455053\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378476Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4295f2311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378475Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4295f23KerberosKerberos-{31C395CC-8920-CC87-09A2-8AD213B9E8F7}--00x0-10.0.1.1455054%%1833---%%18430x0%%1842 4672001254800x8020000000000000378474Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295f2SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378473Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4295de311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378472Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4295de3KerberosKerberos-{31C395CC-8920-CC87-09A2-8AD213B9E8F7}--00x0-10.0.1.1455053%%1833---%%18430x0%%1842 4672001254800x8020000000000000378471Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295deSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378470Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4295be311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378469Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4295be3KerberosKerberos-{31C395CC-8920-CC87-09A2-8AD213B9E8F7}--00x0-10.0.1.1455052%%1833---%%18430x0%%1842 4672001254800x8020000000000000378468Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4295beSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378467Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455051\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378466Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598File10.0.1.1455051\\*\IPC$0x1%%4416 4627001255400x8020000000000000378465Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x429598311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378464Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4295983KerberosKerberos-{31C395CC-8920-CC87-09A2-8AD213B9E8F7}--00x0-10.0.1.1455051%%1833---%%18430x0%%1842 4672001254800x8020000000000000378463Securityar-win-2.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x429598SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000149538Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455055\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000149537Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455056\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000149536Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b6893 4634001254500x8020000000000000149535Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b6a83 4634001254500x8020000000000000149534Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b6a63 5145001281100x8020000000000000149533Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455056\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000149532Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455055\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000149531Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x50b6a8311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000149530Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x50b6a83KerberosKerberos-{fb76d49a-773e-eced-3444-cb3b9141f0a4}--00x0-10.0.1.1455058%%1833---%%18430x0%%1842 4627001255400x8020000000000000149529Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x50b6a6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000149528Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x50b6a63KerberosKerberos-{fb76d49a-773e-eced-3444-cb3b9141f0a4}--00x0-10.0.1.1455056%%1833---%%18430x0%%1842 4672001254800x8020000000000000149527Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b6a8SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4672001254800x8020000000000000149526Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b6a6SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000149525Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x50b689311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000149524Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x50b6893KerberosKerberos-{fb76d49a-773e-eced-3444-cb3b9141f0a4}--00x0-10.0.1.1455057%%1833---%%18430x0%%1842 4672001254800x8020000000000000149523Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b689SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000149522Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455055\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000149521Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641File10.0.1.1455055\\*\IPC$0x1%%4416 4627001255400x8020000000000000149520Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x50b641311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000149519Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x50b6413KerberosKerberos-{fb76d49a-773e-eced-3444-cb3b9141f0a4}--00x0-10.0.1.1455055%%1833---%%18430x0%%1842 4672001254800x8020000000000000149518Securityar-win-10.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x50b641SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4268A0","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1545935Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42688C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1537833Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426872","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1496092Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"3948","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426847","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1296575Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509AE4","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3695536Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509AC6","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3685252Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509A87","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3604367Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029726Applicationar-win-7.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4268A0","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1545935Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029725Applicationar-win-7.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42688C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1537833Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029724Applicationar-win-7.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"4056","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426872","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1496092Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029723Applicationar-win-7.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-7","Correlation_ActivityID":"{A6336D90-60C1-0001-9D6D-33A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"3948","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426847","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1296575Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029771Applicationar-win-8.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"2164","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426978","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1520932Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029770Applicationar-win-8.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"2164","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426964","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1513588Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029769Applicationar-win-8.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"724","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426947","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1505961Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029768Applicationar-win-8.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-8","Correlation_ActivityID":"{A50E0DEE-60C1-0001-010E-0EA5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"600","Execution_ThreadID":"724","FileAge":"530d11h21m57s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42691C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.1435058Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 4769001433700x8020000000000000211456Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-3$ATTACKRANGE\AR-WIN-3$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211455Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-5$ATTACKRANGE\AR-WIN-5$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211454Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-6$ATTACKRANGE\AR-WIN-6$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211453Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-4$ATTACKRANGE\AR-WIN-4$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211452Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-9$ATTACKRANGE\AR-WIN-9$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211451Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-10$ATTACKRANGE\AR-WIN-10$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 4769001433700x8020000000000000211450Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-2$ATTACKRANGE\AR-WIN-2$0x408100000x12::100x0{8832e93f-62dc-aa19-94c7-7c07744be8b1}- 99300x8000000000000015804Applicationar-win-6.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509AE4","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3695536Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000015803Applicationar-win-6.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509AC6","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3685252Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000015802Applicationar-win-6.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-6","Correlation_ActivityID":"{A51712A7-60C1-0000-3513-17A5C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"624","Execution_ThreadID":"728","FileAge":"166d01h50m12s","FileCreationDate":"2022-10-12T13:44:41","FileVersion":"10.0.17763.3532 (WinBuild.160101.0800)","Hashes":"MD5=56119FCB0E96D299CBD9101CD1EF22C2,SHA1=CB9A0740D4E6270F032B289F41BF152A813BBA9A,SHA256=6CFFF639A6C9D8A9FBC6D1DF8C239E089A505AC8AE6ACEED422BD3DD94BE16DC,IMPHASH=3924D1606F44D90586A3EC75785C2730","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x509A87","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.3604367Z","Timestamp":"2079-04-29T21:58:43","Version":"0","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029738Applicationar-win-2.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295F2","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9824849Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029737Applicationar-win-2.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295DE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9784774Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029736Applicationar-win-2.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295BE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9757323Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029735Applicationar-win-2.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x429598","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9685682Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 410515102150x0678627Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local81d866e3-f0c7-4e54-ab9d-6259b8480500532a042a-a474-4266-9336-27bf9afee494 410615103150x0678626Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala92747e0-b1a4-4e94-80f9-a1773408c5d9532a042a-a474-4266-9336-27bf9afee494 410615103150x0678625Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5badddb8-d23b-4dab-b97f-a5a0318737c2532a042a-a474-4266-9336-27bf9afee494 410515102150x0678624Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5badddb8-d23b-4dab-b97f-a5a0318737c2532a042a-a474-4266-9336-27bf9afee494 410515102150x0678623Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.locala92747e0-b1a4-4e94-80f9-a1773408c5d9532a042a-a474-4266-9336-27bf9afee494 4104152150x0678622Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompta92747e0-b1a4-4e94-80f9-a1773408c5d9 410615103150x0678621Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local385bbf1d-5335-463b-8339-d1f266b28a75532a042a-a474-4266-9336-27bf9afee494 410515102150x0678620Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local385bbf1d-5335-463b-8339-d1f266b28a75532a042a-a474-4266-9336-27bf9afee494 410615103150x0678619Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfcec0b5f-0b75-433a-b1b5-8d29cd88ffd1532a042a-a474-4266-9336-27bf9afee494 99300x8000000000000029766Applicationar-win-4.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3576","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4273C8","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9121828Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029765Applicationar-win-4.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"1484","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4273B0","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9082449Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029764Applicationar-win-4.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3248","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427392","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9078444Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 99300x8000000000000029763Applicationar-win-4.attackrange.local{"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3248","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427369","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.8910696Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 5145001281100x8020000000000000378540Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455047\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378539Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455049\\*\C$\??\C:\0x1%%4416 5145001281100x8020000000000000378538Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455049\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4634001254500x8020000000000000378537Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4268a03 4634001254500x8020000000000000378536Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42688c3 5140101280800x8020000000000000378535Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455047\\*\ADMIN$\??\C:\Windows0x1%%4416 4634001254500x8020000000000000378534Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4268723 4627001255400x8020000000000000378533Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x4268a0311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378532Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4268a03KerberosKerberos-{86CE4D23-00E4-2516-34A1-6041DD779E50}--00x0-10.0.1.1455049%%1833---%%18430x0%%1842 4672001254800x8020000000000000378531Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4268a0SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378530Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x42688c311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378529Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x42688c3KerberosKerberos-{86CE4D23-00E4-2516-34A1-6041DD779E50}--00x0-10.0.1.1455050%%1833---%%18430x0%%1842 4672001254800x8020000000000000378528Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42688cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378527Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426872311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378526Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4268723KerberosKerberos-{86CE4D23-00E4-2516-34A1-6041DD779E50}--00x0-10.0.1.1455048%%1833---%%18430x0%%1842 4672001254800x8020000000000000378525Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426872SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378524Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455047\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378523Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847File10.0.1.1455047\\*\IPC$0x1%%4416 4627001255400x8020000000000000378522Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426847311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378521Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4268473KerberosKerberos-{86CE4D23-00E4-2516-34A1-6041DD779E50}--00x0-10.0.1.1455047%%1833---%%18430x0%%1842 4672001254800x8020000000000000378520Securityar-win-7.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426847SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378446Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455041\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000378445Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455043\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378444Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4269473 4634001254500x8020000000000000378443Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4269783 5145001281100x8020000000000000378442Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455043\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 4634001254500x8020000000000000378441Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x4269643 5140101280800x8020000000000000378440Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455043\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378439Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426978311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378438Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4269783KerberosKerberos-{A8C69706-B377-C536-A3D2-93C9743BEBD1}--00x0-10.0.1.1455044%%1833---%%18430x0%%1842 4672001254800x8020000000000000378437Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426978SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378436Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426964311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378435Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4269643KerberosKerberos-{A8C69706-B377-C536-A3D2-93C9743BEBD1}--00x0-10.0.1.1455043%%1833---%%18430x0%%1842 4672001254800x8020000000000000378434Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426964SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000378433Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x426947311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378432Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x4269473KerberosKerberos-{A8C69706-B377-C536-A3D2-93C9743BEBD1}--00x0-10.0.1.1455042%%1833---%%18430x0%%1842 4672001254800x8020000000000000378431Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x426947SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 5145001281100x8020000000000000378430Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455041\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378429Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cFile10.0.1.1455041\\*\IPC$0x1%%4416 4627001255400x8020000000000000378428Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-2732REED_MORSEATTACKRANGE.LOCAL0x42691c311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-5-21-3061066544-971859979-4169126676-4050} ATTACKRANGE\LU-bia-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3852} ATTACKRANGE\MA-diarrea78-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3654} ATTACKRANGE\RO-jul-distlist1 %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\High Mandatory Level 4624201254400x8020000000000000378427Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE.LOCAL0x42691c3KerberosKerberos-{A8C69706-B377-C536-A3D2-93C9743BEBD1}--00x0-10.0.1.1455041%%1833---%%18430x0%%1842 4672001254800x8020000000000000378426Securityar-win-8.attackrange.localATTACKRANGE\REED_MORSEREED_MORSEATTACKRANGE0x42691cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4769001433700x8020000000000000211449Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-7$ATTACKRANGE\AR-WIN-7$0x408100000x12::100x0{305a26dc-e167-2110-d421-c7ab689b9e2e}- 4634001254500x8020000000000000211448Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f36203 4624201254400x8020000000000000211447Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5f36203KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-fe80::25f1:ea03:8efd:c46255046%%1833---%%18430x0%%1842 4672001254800x8020000000000000211446Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5f3620SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4769001433700x8020000000000000211445Securityar-win-dc.attackrange.localREED_MORSE@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-8$ATTACKRANGE\AR-WIN-8$0x408100000x12::100x0{305a26dc-e167-2110-d421-c7ab689b9e2e}- 4768001433900x8020000000000000211444Securityar-win-dc.attackrange.localREED_MORSEATTACKRANGE.LOCALATTACKRANGE\REED_MORSEkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::10 {"Computer":"ar-win-dc","Correlation_ActivityID":"{A81F8847-60C1-0003-27B2-1FA8C160D901}","EventID":"4104","Execution_ProcessID":"3084","Execution_ThreadID":"2540","Keywords":"0x0","Level":"5","Match_Strings":"Invoke-ShareFinder in ScriptBlockText","MessageNumber":"1","MessageTotal":"1","Module":"Sigma","Opcode":"15","Path":"","Provider_Guid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Provider_Name":"Microsoft-Windows-PowerShell","Rule_Author":"Bhabesh Raj","Rule_Description":"Detects Commandlet names from PowerView of PowerSploit exploitation framework.","Rule_FalsePositives":"Should not be any as administrators do not use this tool","Rule_Id":"dcd74b95-3f36-4ed9-9598-0490951643aa","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml","Rule_Modified":"2023/02/06","Rule_Path":"public\\windows\\powershell\\powershell_script\\posh_ps_powerview_malicious_commandlets.yml","Rule_References":"https://powersploit.readthedocs.io/en/stable/Recon/README, https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon, https://thedfirreport.com/2020/10/08/ryuks-return, https://adsecurity.org/?p=2277","Rule_Sigtype":"public","Rule_Title":"Malicious PowerView PowerShell Commandlets","ScriptBlockId":"fcec0b5f-0b75-433a-b1b5-8d29cd88ffd1","ScriptBlockText":"Invoke-ShareFinder -CheckShareAccess","Security_UserID":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"2","TimeCreated_SystemTime":"2023-03-27T18:35:14.2502908Z","Version":"1","Winversion":"17763","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:14Z"} 99300x8000000000000016021Applicationar-win-dc.attackrange.local{"Computer":"ar-win-dc","Correlation_ActivityID":"{A81F8847-60C1-0003-27B2-1FA8C160D901}","EventID":"4104","Execution_ProcessID":"3084","Execution_ThreadID":"2540","Keywords":"0x0","Level":"5","Match_Strings":"Invoke-ShareFinder in ScriptBlockText","MessageNumber":"1","MessageTotal":"1","Module":"Sigma","Opcode":"15","Path":"","Provider_Guid":"{A0C1853B-5C40-4B15-8766-3CF1C58F985A}","Provider_Name":"Microsoft-Windows-PowerShell","Rule_Author":"Bhabesh Raj","Rule_Description":"Detects Commandlet names from PowerView of PowerSploit exploitation framework.","Rule_FalsePositives":"Should not be any as administrators do not use this tool","Rule_Id":"dcd74b95-3f36-4ed9-9598-0490951643aa","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml","Rule_Modified":"2023/02/06","Rule_Path":"public\\windows\\powershell\\powershell_script\\posh_ps_powerview_malicious_commandlets.yml","Rule_References":"https://powersploit.readthedocs.io/en/stable/Recon/README, https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon, https://thedfirreport.com/2020/10/08/ryuks-return, https://adsecurity.org/?p=2277","Rule_Sigtype":"public","Rule_Title":"Malicious PowerView PowerShell Commandlets","ScriptBlockId":"fcec0b5f-0b75-433a-b1b5-8d29cd88ffd1","ScriptBlockText":"Invoke-ShareFinder -CheckShareAccess","Security_UserID":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"2","TimeCreated_SystemTime":"2023-03-27T18:35:14.2502908Z","Version":"1","Winversion":"17763","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:14Z"} 410615103150x0678618Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678617Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678616Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678615Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678614Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678613Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678612Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678611Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678610Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678609Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678608Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678607Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678606Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678605Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678604Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678603Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678602Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678601Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678600Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410515102150x0678599Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2e036434-f5de-4e3d-85eb-2258947806a7532a042a-a474-4266-9336-27bf9afee494 410615103150x0678598Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3f173bef-2786-451a-990a-0b7426800f8d532a042a-a474-4266-9336-27bf9afee494 410515102150x0678597Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local3f173bef-2786-451a-990a-0b7426800f8d532a042a-a474-4266-9336-27bf9afee494 410515102150x0678596Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localfcec0b5f-0b75-433a-b1b5-8d29cd88ffd1532a042a-a474-4266-9336-27bf9afee494 4104152150x0678595Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11Invoke-ShareFinder -CheckShareAccessfcec0b5f-0b75-433a-b1b5-8d29cd88ffd1 410615103150x0678594Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local81d866e3-f0c7-4e54-ab9d-6259b8480500532a042a-a474-4266-9336-27bf9afee494 410515102150x0678593Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local81d866e3-f0c7-4e54-ab9d-6259b8480500532a042a-a474-4266-9336-27bf9afee494 410615103150x0678592Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local40c411ed-355d-4833-924d-3c559773509d532a042a-a474-4266-9336-27bf9afee494 410615103150x0678591Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5badddb8-d23b-4dab-b97f-a5a0318737c2532a042a-a474-4266-9336-27bf9afee494 410515102150x0678590Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5badddb8-d23b-4dab-b97f-a5a0318737c2532a042a-a474-4266-9336-27bf9afee494 410515102150x0678589Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local40c411ed-355d-4833-924d-3c559773509d532a042a-a474-4266-9336-27bf9afee494 4104152150x0678588Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt40c411ed-355d-4833-924d-3c559773509d 410615103150x0678587Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local385bbf1d-5335-463b-8339-d1f266b28a75532a042a-a474-4266-9336-27bf9afee494 410515102150x0678586Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local385bbf1d-5335-463b-8339-d1f266b28a75532a042a-a474-4266-9336-27bf9afee494 410615103150x0678585Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8925ffab-af2c-4e0e-84a6-e1dac6872aad532a042a-a474-4266-9336-27bf9afee494 410515102150x0678584Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8925ffab-af2c-4e0e-84a6-e1dac6872aad532a042a-a474-4266-9336-27bf9afee494 4104152150x0678583Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11klist purge8925ffab-af2c-4e0e-84a6-e1dac6872aad 410615103150x0678582Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local81d866e3-f0c7-4e54-ab9d-6259b8480500532a042a-a474-4266-9336-27bf9afee494 4688201331200x8020000000000000211443Securityar-win-dc.attackrange.localATTACKRANGE\REED_MORSEreed_morseATTACKRANGE0x699950x494C:\Windows\System32\klist.exe%%19370xc0c"C:\Windows\system32\klist.exe" purgeNULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level 154100x800000000000000019041Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:11.639{54d3457e-e1df-6421-dd04-000000004902}1172C:\Windows\System32\klist.exe10.0.17763.3532 (WinBuild.160101.0800)Tool for managing the Kerberos ticket cacheMicrosoft® Windows® Operating SystemMicrosoft Corporationklist.exe"C:\Windows\system32\klist.exe" purgeC:\users\reed_morse\Downloads\ATTACKRANGE\REED_MORSE{54d3457e-b7c7-6421-9599-060000000000}0x699952HighMD5=406D271A260BF6961AB422C06A8FC4EB,SHA256=B29E4020D3E281D7A6CF6E015D5380BA5D2744E8DA8F2D59D39804BB3E59535D,IMPHASH=4FE5947C89AC5142F65CE6D49C0B85D4{54d3457e-b81f-6421-f700-000000004902}3084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypassATTACKRANGE\REED_MORSE 22542200x800000000000000019040Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:08.593{54d3457e-e1dc-6421-dc04-000000004902}6564wpad9003-C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICE 703604000x8080000000000000120622Systemar-win-dc.attackrange.localWinHTTP Web Proxy Auto-Discovery Servicerunning570069006E0048007400740070004100750074006F00500072006F00780079005300760063002F0034000000 154100x800000000000000019039Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:35:08.895{54d3457e-e1dc-6421-dc04-000000004902}6564C:\Windows\System32\svchost.exe10.0.17763.3346 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvcC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{54d3457e-b79b-6421-e503-000000000000}0x3e50SystemMD5=4DD18F001AC31D5F48F50F99E4AA1761,SHA256=2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69{00000000-0000-0000-0000-000000000000}604--- 4688201331200x8020000000000000211442Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x19a4C:\Windows\System32\svchost.exe%%19360x25cC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvcNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5C:\Windows\System32\services.exeMandatory Label\System Mandatory Level 4673001305600x8010000000000000149517Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe 4689001331300x8020000000000000378637Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xe14C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378693Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xf44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378636Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xe14C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015597Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:35:04.998{8FCC9F6C-E1D8-6421-2504-00000000D502}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1984--- 154100x800000000000000015602Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:35:04.897{9792FEB4-E1D8-6421-2304-00000000D502}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378692Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xf44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378691Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x538C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378635Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xf54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378634Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xf54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015596Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:35:04.371{8FCC9F6C-E1D8-6421-2404-00000000D502}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4688201331200x8020000000000000378690Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x538C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015601Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:35:04.144{9792FEB4-E1D8-6421-2204-00000000D502}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3576","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4273C8","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9121828Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"1484","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4273B0","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9082449Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3248","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427392","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.9078444Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-4","Correlation_ActivityID":"{A7E7B855-60C1-0000-67B8-E7A7C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3248","FileAge":"530d11h22m03s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427369","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:14.8910696Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} 4689001331300x8020000000000000378633Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378632Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xf6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015595Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:35:03.612{8FCC9F6C-E1D7-6421-2304-00000000D502}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"1208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.8599518Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:02Z"} {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"1208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.8525126Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:02Z"} 4689001331300x8020000000000000378689Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x3ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378688Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x3ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015600Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:35:03.314{9792FEB4-E1D7-6421-2104-00000000D502}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000015829Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:35:02.728{8fd3d7d2-e1d6-6421-6504-000000004902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015658Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:35:02.329{E6E25EEE-E1D6-6421-2304-00000000D502}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000149516Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xb54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149515Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xb54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149514Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xc0cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378708Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xd18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378707Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xd18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000029762Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"1208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.8599518Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:02Z"} 7300x8000000000000029761Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"1208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.8525126Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:02Z"} 4689001331300x8020000000000000378706Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378687Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xbf4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015828Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:35:01.926{8fd3d7d2-e1d5-6421-6404-000000004902}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015827Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:35:01.170{8fd3d7d2-e1d5-6421-6304-000000004902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 4688201331200x8020000000000000149513Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xc0cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149512Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x634C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149511Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x634C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378519Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xa24C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015657Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:35:01.457{E6E25EEE-E1D5-6421-2204-00000000D502}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000378705Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9460000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"3008","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9460000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.6559566Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:01Z"} 7300x8000000000000029760Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9460000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"3008","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9460000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:35:00.6559566Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:01Z"} 4689001331300x8020000000000000378631Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xce4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378686Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xbf4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015599Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:35:00.897{9792FEB4-E1D4-6421-2004-00000000D502}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000017336Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:35:00.806{0F843AFE-E1D4-6421-2204-00000000D502}2596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4688201331200x8020000000000000378518Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xa24C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015656Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:35:00.698{E6E25EEE-E1D4-6421-2104-00000000D502}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378704Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xec0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378703Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xec0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211441Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5ef5423 4688201331200x8020000000000000378630Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xce4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378629Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xf60C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000015594Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:35:00.787{8FCC9F6C-E1D4-6421-2204-00000000D502}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000380413Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378517Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x87cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378516Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x87cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017335Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:35:00.095{0F843AFE-E1D4-6421-2104-00000000D502}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1844--- 4673001305600x8010000000000000149510Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.6154857Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.6144965Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 4688201331200x8020000000000000378628Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xf60C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015593Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:34:59.722{8FCC9F6C-E1D3-6421-2104-00000000D502}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1984--- 4688201331200x8020000000000000380412Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016615Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:59.959{C9DE9129-E1D3-6421-6704-00000000D502}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000378515Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xd68C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378514Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xd68C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017334Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:34:59.335{0F843AFE-E1D3-6421-2004-00000000D502}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378425Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378424Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015608Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:34:59.498{CAB910BF-E1D3-6421-2204-00000000D502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015826Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:34:59.071{8fd3d7d2-e1d3-6421-6204-000000004902}4668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149509Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x123cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000149508Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x123cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016614Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:59.331{C9DE9129-E1D3-6421-6604-00000000D502}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 7300x8000000000000029938Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB62990000","EventID":"5","Execution_ProcessID":"1208","Execution_ThreadID":"3180","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB62990000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1208","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:58.6318417Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 7300x8000000000000029937Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB61D30000","EventID":"5","Execution_ProcessID":"1208","Execution_ThreadID":"3180","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB61D30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1208","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:58.6313735Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 7300x8000000000000029936Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB625B0000","EventID":"5","Execution_ProcessID":"1208","Execution_ThreadID":"404","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB625B0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1208","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:58.4354912Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 4689001331300x8020000000000000380411Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xe5cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380410Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xe5cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000029767Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.6154857Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 7300x8000000000000029766Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.6144965Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:59Z"} 4689001331300x8020000000000000378423Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xec4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3924","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x427015","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1496999Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x42700C","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1495819Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426FEF","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1487312Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-5","Correlation_ActivityID":"{A6B8F30D-60C1-0001-1BF3-B8A6C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"3520","FileAge":"530d11h21m59s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x426FBF","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:15.1370985Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:16Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295F2","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9824849Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295DE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9784774Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x4295BE","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9757323Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"C:\\Windows\\system32\\lsass.exe","Company":"Microsoft Corporation","Computer":"ar-win-2","Correlation_ActivityID":"{A3BBA0C4-60C1-0000-D6A0-BBA3C160D901}","Description":"Local Security Authority Process","EventCountTotal":"1","EventID":"300","EventOrginal":"1","Execution_ProcessID":"596","Execution_ThreadID":"2100","FileAge":"530d11h21m53s","FileCreationDate":"2021-10-13T04:12:58","FileVersion":"10.0.14393.4704 (rs1_release.211004-1917)","Hashes":"MD5=93212FD52A9CD5ADDAD2FD2A779355D2,SHA1=49A814F72292082A1CFDF602B5E4689B0F942703,SHA256=95888DAEFD187FAC9C979387F75FF3628548E7DDF5D70AD489CF996B9CAD7193,IMPHASH=D6BD93CD721B30625A910C53F829499B","Image":"C:\\Windows\\System32\\lsass.exe","Keywords":"0x2000000000000000","Level":"4","Match_Strings":"300 in EventID, S-1-5-32-544 in SidList, S-1-5-21- in TargetUserSid","Module":"Sigma","Opcode":"0","OriginalFileName":"lsass.exe","ParentImage":"C:\\Windows\\System32\\wininit.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{199FE037-2B82-40A9-82AC-E1D46C792B99}","Provider_Name":"LsaSrv","Rule_Author":"frack113","Rule_Description":"Detect standard users login that are part of high privileged groups such as the Administrator group","Rule_FalsePositives":"Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field","Rule_Id":"7ac407cc-0f48-4328-aede-de1d2e6fef41","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml","Rule_Modified":"2023/01/13","Rule_Path":"public\\windows\\builtin\\lsa_server\\win_lsa_server_normal_user_admin.yml","Rule_References":"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml","Rule_Sigtype":"public","Rule_Title":"Standard User In High Privileged Group","Security_UserID":"S-1-5-18","SidList":"\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-513}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-2}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-512}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-4050}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3642}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3852}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3950}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3654}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-3628}\r\n\t\t%{S-1-18-1}\r\n\t\t%{S-1-5-21-3061066544-971859979-4169126676-572}","TargetDomainName":"ATTACKRANGE","TargetLogonGuid":"{00000000-0000-0000-0000-000000000000}","TargetLogonId":"0x429598","TargetUserName":"REED_MORSE","TargetUserSid":"S-1-5-21-3061066544-971859979-4169126676-2732","Task":"0","TimeCreated_SystemTime":"2023-03-27T18:35:13.9685682Z","Timestamp":"2021-10-05T05:21:17","Version":"0","Winversion":"14393","aurora_eventid":99,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:35:15Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"3288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:56.054418Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:57Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"3288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:56.0534416Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:57Z"} 154100x800000000000000016613Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:58.580{C9DE9129-E1D2-6421-6504-00000000D502}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000380409Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x4b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000380408Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x4b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378685Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xeecC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378684Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xeecC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015598Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:34:58.286{9792FEB4-E1D2-6421-1F04-00000000D502}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378462Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xd18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378461Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015573Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:34:58.215{B5208300-E1D2-6421-2104-00000000D502}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"3272","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.2324783Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"3272","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.2318729Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA3C5C0000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"2412","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA3C5C0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.0460179Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 4689001331300x8020000000000000148931Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x1270C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000148930Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x1270C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148929Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x818C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378422Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xec4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378421Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xed0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378420Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xed0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015607Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:34:58.817{CAB910BF-E1D2-6421-2104-00000000D502}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015606Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:34:58.071{CAB910BF-E1D2-6421-2004-00000000D502}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015839Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:34:58.789{94bfb0cf-e1d2-6421-6704-000000004902}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3000--- 7300x8000000000000029765Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC00330000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"2396","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFC00330000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.3945048Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 7300x8000000000000029745Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"3272","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.2324783Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 7300x8000000000000029744Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"3272","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.2318729Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 7300x8000000000000029743Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA3C5C0000","EventID":"5","Execution_ProcessID":"2600","Execution_ThreadID":"2412","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA3C5C0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.0460179Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 154100x800000000000000015838Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:34:57.945{94bfb0cf-e1d1-6421-6604-000000004902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015825Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:34:57.325{8fd3d7d2-e1d1-6421-6104-000000004902}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149507Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x137cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000149506Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x137cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378702Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xa28C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378701Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xa28C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015655Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:34:57.111{E6E25EEE-E1D1-6421-2004-00000000D502}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000148928Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x818C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148927Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 7300x8000000000000029734Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"3288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:56.054418Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:57Z"} 7300x8000000000000029733Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"3288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:56.0534416Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:57Z"} 4689001331300x8020000000000000378460Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfbcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378459Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfbcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378458Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015572Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:34:57.557{B5208300-E1D1-6421-2004-00000000D502}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.6676165Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.6670045Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA5FCC0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"916","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA5FCC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.4862483Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"1760","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.7194725Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} 4688201331200x8020000000000000378457Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015571Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:34:56.809{B5208300-E1D0-6421-1F04-00000000D502}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378513Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x1e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000380407Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000380406Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016612Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:56.544{C9DE9129-E1D0-6421-6404-00000000D502}4904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1876--- 4688201331200x8020000000000000148926Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148925Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x7f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000148924Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x7f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015837Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:34:56.875{94bfb0cf-e1d0-6421-6504-000000004902}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015836Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:34:56.044{94bfb0cf-e1d0-6421-6404-000000004902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3000--- 7300x8000000000000029722Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.6676165Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} 7300x8000000000000029721Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.6670045Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} 7300x8000000000000029720Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA5FCC0000","EventID":"5","Execution_ProcessID":"488","Execution_ThreadID":"916","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA5FCC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.4862483Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} 154100x800000000000000015654Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:34:56.070{E6E25EEE-E1D0-6421-1F04-00000000D502}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378700Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xf68C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378699Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xf68C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000029732Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"2368","Execution_ThreadID":"1760","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:55.7194725Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:56Z"} 154100x800000000000000017333Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:34:56.074{0F843AFE-E1D0-6421-1F04-00000000D502}488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1844--- 4688201331200x8020000000000000378512Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x1e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017332Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:34:55.172{0F843AFE-E1CF-6421-1E04-00000000D502}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378511Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xd34C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378510Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xd34C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378419Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x650C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4624201254400x8020000000000000211440Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE.LOCAL0x5f01793KerberosKerberos-{a593484a-21a4-1f2c-8402-599940848d50}--00x0---%%1840---%%18430x0%%1842 4672001254800x8020000000000000211439Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE0x5f0179SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 4689001331300x8020000000000000380405Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x13f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000380404Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x13f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016611Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:54.573{C9DE9129-E1CE-6421-6304-00000000D502}5104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1876--- 154100x800000000000000015570Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:34:54.213{B5208300-E1CE-6421-1E04-00000000D502}1804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378456Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x70cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378455Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x70cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000378418Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x650C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378417Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xd60C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378416Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xd60C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015605Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:34:54.886{CAB910BF-E1CE-6421-1F04-00000000D502}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015604Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:34:54.113{CAB910BF-E1CE-6421-1E04-00000000D502}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015835Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:34:54.160{94bfb0cf-e1ce-6421-6304-000000004902}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000148923Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x1118C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000148922Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x1118C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378454Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xe4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378453Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015569Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:34:51.884{B5208300-E1CB-6421-1D04-00000000D502}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 4624201254400x8020000000000000211438Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5ef5423KerberosKerberos-{3e5ecb72-fb66-b73f-08fe-35a9aff2b33e}--00x0-fe80::25f1:ea03:8efd:c46252737%%1840---%%18430x0%%1842 4672001254800x8020000000000000211437Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5ef542SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000019038Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:34:27.933{54d3457e-e1b3-6421-db04-000000004902}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211436Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x15f4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000211435Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x14c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019037Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:34:26.963{54d3457e-e1b2-6421-da04-000000004902}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019036Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:34:26.199{54d3457e-e1b2-6421-d904-000000004902}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211434Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1a38C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211433Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5ed24d3 4624201254400x8020000000000000211432Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5ed24d3KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-::152736%%1833---%%18430x0%%1842 4672001254800x8020000000000000211431Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5ed24dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000019035Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:34:24.392{54d3457e-e1b0-6421-d804-000000004902}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211430Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000211429Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019034Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:34:21.955{54d3457e-e1ad-6421-d704-000000004902}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3088--- 703604000x8080000000000000120621Systemar-win-dc.attackrange.localWinHTTP Web Proxy Auto-Discovery Servicestopped570069006E0048007400740070004100750074006F00500072006F00780079005300760063002F0031000000 {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3512","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.3442752Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3512","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.3422661Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF3A4C0000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"856","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF3A4C0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.0863855Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} 154100x800000000000000015592Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:34:05.166{8FCC9F6C-E19D-6421-2004-00000000D502}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1984--- 4673001305600x8010000000000000148920Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe 4689001331300x8020000000000000378627Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x494C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378626Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x494C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000029745Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3512","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.3442752Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} 7300x8000000000000029744Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3512","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.3422661Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} 7300x8000000000000029743Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF3A4C0000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"856","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF3A4C0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:04.0863855Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:05Z"} 4689001331300x8020000000000000378683Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xf04C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000015597Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:34:04.900{9792FEB4-E19C-6421-1E04-00000000D502}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378625Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xd4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378682Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xf04C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378681Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x6f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"800","Execution_ThreadID":"804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:03.7551263Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:04Z"} {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"800","Execution_ThreadID":"804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:03.7546618Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:04Z"} 7300x8000000000000029759Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"800","Execution_ThreadID":"804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:03.7551263Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:04Z"} 7300x8000000000000029758Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"800","Execution_ThreadID":"804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:03.7546618Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:04Z"} 4688201331200x8020000000000000378624Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xd4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015591Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:34:04.416{8FCC9F6C-E19C-6421-1F04-00000000D502}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4688201331200x8020000000000000378680Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x6f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015596Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:34:04.139{9792FEB4-E19C-6421-1D04-00000000D502}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378623Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378622Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015590Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:34:03.604{8FCC9F6C-E19B-6421-1E04-00000000D502}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378679Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xf50C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378678Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xf50C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015595Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:34:03.316{9792FEB4-E19B-6421-1C04-00000000D502}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000149505Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149504Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015824Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:34:02.688{8fd3d7d2-e19a-6421-6004-000000004902}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015653Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:34:02.120{E6E25EEE-E19A-6421-1E04-00000000D502}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378698Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xe88C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378697Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xe88C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9460000","EventID":"5","Execution_ProcessID":"3500","Execution_ThreadID":"3208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9460000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3500","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:00.6595414Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:01Z"} 4689001331300x8020000000000000149503Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xd98C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378677Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000378696Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xd4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378695Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xd4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015652Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:34:01.435{E6E25EEE-E199-6421-1D04-00000000D502}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2008--- 154100x800000000000000015823Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:34:01.930{8fd3d7d2-e199-6421-5f04-000000004902}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015822Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:34:01.179{8fd3d7d2-e199-6421-5e04-000000004902}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 4688201331200x8020000000000000149502Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xd98C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149501Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x112cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149500Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x112cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378621Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xdacC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 7300x8000000000000029757Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9460000","EventID":"5","Execution_ProcessID":"3500","Execution_ThreadID":"3208","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9460000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3500","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:00.6595414Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:01Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA32B10000","EventID":"5","Execution_ProcessID":"3992","Execution_ThreadID":"3584","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFA32B10000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3992","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:00.62119Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:00Z"} 4689001331300x8020000000000000378509Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x86cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378676Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015594Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:34:00.893{9792FEB4-E198-6421-1B04-00000000D502}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000017331Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:34:00.833{0F843AFE-E198-6421-1D04-00000000D502}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378694Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xf98C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378693Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xf98C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015651Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:34:00.689{E6E25EEE-E198-6421-1C04-00000000D502}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000378620Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xdacC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015589Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:34:00.789{8FCC9F6C-E198-6421-1D04-00000000D502}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1984--- 4688201331200x8020000000000000378508Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x86cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378507Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x710C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378506Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x710C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380403Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x12c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380402Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x12c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016610Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:34:00.080{C9DE9129-E198-6421-6204-00000000D502}4800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 7300x8000000000000029742Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA32B10000","EventID":"5","Execution_ProcessID":"3992","Execution_ThreadID":"3584","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFA32B10000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3992","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:00.62119Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:00Z"} 4673001305600x8010000000000000148919Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe 154100x800000000000000017330Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:34:00.082{0F843AFE-E198-6421-1C04-00000000D502}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1844--- 154100x800000000000000015588Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:33:59.713{8FCC9F6C-E197-6421-1C04-00000000D502}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1984--- 4634001254500x8020000000000000148918Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa03 154100x800000000000000017329Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:33:59.327{0F843AFE-E197-6421-1B04-00000000D502}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378505Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xf00C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378504Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xf00C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378619Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x6bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378618Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x6bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015603Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:33:59.419{CAB910BF-E197-6421-1D04-00000000D502}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000378415Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xd08C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378414Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xd08C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000378413Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e6313 4689001331300x8020000000000000149499Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x11dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4634001254500x8020000000000000149498Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c193 4688201331200x8020000000000000149497Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x11dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015821Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:33:59.069{8fd3d7d2-e197-6421-5d04-000000004902}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000380401Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x9f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000380400Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x9f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016609Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:59.334{C9DE9129-E197-6421-6104-00000000D502}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1876--- 7300x8000000000000029742Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3448","Execution_ThreadID":"2424","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3448","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.7544207Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 7300x8000000000000029741Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3448","Execution_ThreadID":"2424","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3448","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.753445Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 4634001254500x8020000000000000378675Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea13 4634001254500x8020000000000000378452Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4212673 7300x8000000000000029935Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB62990000","EventID":"5","Execution_ProcessID":"4284","Execution_ThreadID":"1948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB62990000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:58.5967926Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 7300x8000000000000029934Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB61D30000","EventID":"5","Execution_ProcessID":"4284","Execution_ThreadID":"1948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB61D30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:58.5962696Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 7300x8000000000000029933Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB625B0000","EventID":"5","Execution_ProcessID":"4284","Execution_ThreadID":"3128","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB625B0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:58.4344717Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 4689001331300x8020000000000000378412Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC00330000","EventID":"5","Execution_ProcessID":"3792","Execution_ThreadID":"2396","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFC00330000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3792","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:34:57.3945048Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:34:58Z"} 4634001254500x8020000000000000378503Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57d3 4634001254500x8020000000000000378692Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec733 4634001254500x8020000000000000378617Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f0823 4689001331300x8020000000000000380399Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x10bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380398Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016608Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:58.585{C9DE9129-E196-6421-6004-00000000D502}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 154100x800000000000000015593Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:33:58.277{9792FEB4-E196-6421-1A04-00000000D502}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378674Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xd78C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378673Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xd78C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015568Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:33:58.308{B5208300-E196-6421-1C04-00000000D502}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378451Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378450Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000378411Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378410Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xc70C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378409Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xc70C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015602Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:33:58.819{CAB910BF-E196-6421-1C04-00000000D502}384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015601Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:33:58.074{CAB910BF-E196-6421-1B04-00000000D502}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000148917Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x101cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000148916Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x101cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148915Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xd70C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015834Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:33:58.783{94bfb0cf-e196-6421-6204-000000004902}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3000--- {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.5808143Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.5803109Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} {"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC00330000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFC00330000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.3982891Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} 7300x8000000000000029764Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.5808143Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} 7300x8000000000000029763Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.5803109Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} 7300x8000000000000029762Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC00330000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFC00330000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.3982891Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:58Z"} 154100x800000000000000015833Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:33:57.926{94bfb0cf-e195-6421-6104-000000004902}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000149496Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000149495Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015820Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:33:57.331{8fd3d7d2-e195-6421-5c04-000000004902}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000378691Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x4f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378690Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x4f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015650Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:33:57.120{E6E25EEE-E195-6421-1B04-00000000D502}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2008--- 7300x8000000000000029741Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"1264","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.2449862Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 7300x8000000000000029740Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"1264","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.2445533Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 4688201331200x8020000000000000148914Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xd70C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148913Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.8985839Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.8977925Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"2724","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.7175606Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 4689001331300x8020000000000000378449Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378448Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015567Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:33:57.555{B5208300-E195-6421-1B04-00000000D502}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000029731Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.8985839Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 7300x8000000000000029730Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.8977925Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 7300x8000000000000029729Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"2724","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.7175606Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} 4689001331300x8020000000000000378502Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xbcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000378447Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x594C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378446Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x594C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015566Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:33:56.804{B5208300-E194-6421-1A04-00000000D502}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000380397Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1138C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000380396Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1138C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016607Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:56.532{C9DE9129-E194-6421-5F04-00000000D502}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000378689Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xef8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378688Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xef8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015649Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:33:56.067{E6E25EEE-E194-6421-1A04-00000000D502}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2008--- 154100x800000000000000015832Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:33:56.872{94bfb0cf-e194-6421-6004-000000004902}1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015831Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:33:56.036{94bfb0cf-e194-6421-5f04-000000004902}1628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000148912Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148911Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x65cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000148910Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x65cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000029719Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"188","Execution_ThreadID":"2748","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.6536596Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} 7300x8000000000000029718Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"188","Execution_ThreadID":"2748","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.6532214Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} 7300x8000000000000029717Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA58720000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"1616","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA58720000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:54.6083833Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} 4688201331200x8020000000000000378501Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xbcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017328Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:33:56.062{0F843AFE-E194-6421-1A04-00000000D502}188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378500Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x8c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378499Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x8c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017327Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:33:55.180{0F843AFE-E193-6421-1904-00000000D502}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378408Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xea4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015565Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:33:54.213{B5208300-E192-6421-1904-00000000D502}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378445Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378444Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380395Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000380394Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016606Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:54.570{C9DE9129-E192-6421-5E04-00000000D502}468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1876--- 4688201331200x8020000000000000378407Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xea4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378406Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x17cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378405Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x17cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015600Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:33:54.886{CAB910BF-E192-6421-1A04-00000000D502}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015599Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:33:54.097{CAB910BF-E192-6421-1904-00000000D502}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015830Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:33:54.152{94bfb0cf-e192-6421-5e04-000000004902}4328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000148909Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x10e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000148908Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378443Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x454C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000015564Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:33:51.866{B5208300-E18F-6421-1804-00000000D502}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 4688201331200x8020000000000000378442Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x454C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 354300x800000000000000016605Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:47.920{C9DE9129-BD45-6421-4101-00000000D502}1408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\ELMER_SALAStcptruefalse10.0.1.16ar-win-3.attackrange.local49929-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389ldap 4634001254500x8020000000000000148907Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4ff0083 4634001254500x8020000000000000148906Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4ff02a3 4627001255400x8020000000000000148905Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4ff02a311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000148904Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4ff02a3KerberosKerberos-{50116af0-5cec-c909-56f0-23e965f538cd}--00x0-10.0.1.1649978%%1833---%%18430x0%%1843 4634001254500x8020000000000000148903Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefe83 5140101280800x8010000000000000148902Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649976\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000148901Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649974\\*\C$\??\C:\0x1%%4416 4627001255400x8020000000000000148900Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4ff008311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000148899Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4ff0083KerberosKerberos-{50116af0-5cec-c909-56f0-23e965f538cd}--00x0-10.0.1.1649977%%1833---%%18430x0%%1843 4627001255400x8020000000000000148898Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4fefe8311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000148897Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4fefe83KerberosKerberos-{50116af0-5cec-c909-56f0-23e965f538cd}--00x0-10.0.1.1649976%%1833---%%18430x0%%1843 5140101280800x8010000000000000148896Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649974\\*\ADMIN$\??\C:\Windows0x1%%4416 5140101280800x8010000000000000148895Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649974\\*\ADMIN$\??\C:\Windows0x1%%4416 5145001281100x8020000000000000148894Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649974\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000148893Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4fefa0File10.0.1.1649974\\*\IPC$0x1%%4416 4627001255400x8020000000000000148892Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4fefa0311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000148891Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4fefa03KerberosKerberos-{50116af0-5cec-c909-56f0-23e965f538cd}--00x0-10.0.1.1649974%%1833---%%18430x0%%1843 4634001254500x8020000000000000378687Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ecb73 4634001254500x8020000000000000378686Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec9d3 5140101280800x8010000000000000378685Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649950\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000378684Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649948\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378683Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eccc3 4627001255400x8020000000000000378682Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41eccc311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378681Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41eccc3KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649952%%1833---%%18430x0%%1843 5140101280800x8010000000000000378680Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649948\\*\ADMIN$\??\C:\Windows0x1%%4416 5140101280800x8010000000000000378679Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649948\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378678Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41ecb7311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378677Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41ecb73KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649951%%1833---%%18430x0%%1843 4627001255400x8020000000000000378676Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41ec9d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378675Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41ec9d3KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649950%%1833---%%18430x0%%1843 5145001281100x8020000000000000378674Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649948\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378673Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41ec73File10.0.1.1649948\\*\IPC$0x1%%4416 4627001255400x8020000000000000378672Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41ec73311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378671Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41ec733KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649948%%1833---%%18430x0%%1843 4634001254500x8020000000000000378404Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e6753 5140101280800x8010000000000000378403Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649940\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000378402Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649938\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378401Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e68d3 4627001255400x8020000000000000378400Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e68d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378399Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e68d3KerberosKerberos-{AF554F58-DED5-D4C8-1B5B-014320828E16}--00x0-10.0.1.1649942%%1833---%%18430x0%%1843 4634001254500x8020000000000000378398Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e65b3 5140101280800x8010000000000000378397Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649940\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378396Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e675311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378395Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e6753KerberosKerberos-{AF554F58-DED5-D4C8-1B5B-014320828E16}--00x0-10.0.1.1649941%%1833---%%18430x0%%1843 5140101280800x8010000000000000378394Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649938\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378393Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e65b311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378392Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e65b3KerberosKerberos-{AF554F58-DED5-D4C8-1B5B-014320828E16}--00x0-10.0.1.1649940%%1833---%%18430x0%%1843 5145001281100x8020000000000000378391Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649938\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378390Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e631File10.0.1.1649938\\*\IPC$0x1%%4416 4627001255400x8020000000000000378389Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e631311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378388Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e6313KerberosKerberos-{AF554F58-DED5-D4C8-1B5B-014320828E16}--00x0-10.0.1.1649938%%1833---%%18430x0%%1843 4634001254500x8020000000000000149494Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c903 5140101280800x8010000000000000149493Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649965\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000149492Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649963\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000149491Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c973 4634001254500x8020000000000000149490Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c623 4627001255400x8020000000000000149489Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x500c90311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000149488Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x500c903KerberosKerberos-{125b47c0-be85-4404-6980-852ad88b3a86}--00x0-10.0.1.1649967%%1833---%%18430x0%%1843 4627001255400x8020000000000000149487Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x500c97311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000149486Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x500c973KerberosKerberos-{125b47c0-be85-4404-6980-852ad88b3a86}--00x0-10.0.1.1649966%%1833---%%18430x0%%1843 5140101280800x8010000000000000149485Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649965\\*\ADMIN$\??\C:\Windows0x1%%4416 5140101280800x8010000000000000149484Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649963\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000149483Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x500c62311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000149482Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x500c623KerberosKerberos-{125b47c0-be85-4404-6980-852ad88b3a86}--00x0-10.0.1.1649965%%1833---%%18430x0%%1843 5145001281100x8020000000000000149481Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649963\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000149480Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x500c19File10.0.1.1649963\\*\IPC$0x1%%4416 4627001255400x8020000000000000149479Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x500c19311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000149478Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x500c193KerberosKerberos-{125b47c0-be85-4404-6980-852ad88b3a86}--00x0-10.0.1.1649963%%1833---%%18430x0%%1843 4634001254500x8020000000000000378672Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eee33 4634001254500x8020000000000000378671Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eed13 5140101280800x8010000000000000378670Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649955\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000378669Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649953\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378668Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eefa3 4627001255400x8020000000000000378667Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41eefa311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378666Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41eefa3KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649957%%1833---%%18430x0%%1843 4627001255400x8020000000000000378665Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41eee3311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378664Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41eee33KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649956%%1833---%%18430x0%%1843 5140101280800x8010000000000000378663Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649953\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378662Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41eed1311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378661Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41eed13KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649955%%1833---%%18430x0%%1843 5140101280800x8010000000000000378660Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649953\\*\ADMIN$\??\C:\Windows0x1%%4416 5145001281100x8020000000000000378659Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649953\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378658Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41eea1File10.0.1.1649953\\*\IPC$0x1%%4416 4627001255400x8020000000000000378657Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41eea1311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378656Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41eea13KerberosKerberos-{101B29AF-A839-72B1-7431-CF0049DC7AF8}--00x0-10.0.1.1649953%%1833---%%18430x0%%1843 4634001254500x8020000000000000378441Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4212c53 5140101280800x8010000000000000378440Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649945\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000378439Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649943\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378438Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4212b03 4627001255400x8020000000000000378437Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4212c5311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378436Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4212c53KerberosKerberos-{CD29EC46-70AE-0A81-4540-8FB76ECEE2F7}--00x0-10.0.1.1649947%%1833---%%18430x0%%1843 4627001255400x8020000000000000378435Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x4212b0311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378434Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4212b03KerberosKerberos-{CD29EC46-70AE-0A81-4540-8FB76ECEE2F7}--00x0-10.0.1.1649946%%1833---%%18430x0%%1843 4634001254500x8020000000000000378433Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x4212923 5140101280800x8010000000000000378432Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649945\\*\ADMIN$\??\C:\Windows0x1%%4416 5140101280800x8010000000000000378431Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649943\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378430Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x421292311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378429Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4212923KerberosKerberos-{CD29EC46-70AE-0A81-4540-8FB76ECEE2F7}--00x0-10.0.1.1649945%%1833---%%18430x0%%1843 5145001281100x8020000000000000378428Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649943\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378427Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x421267File10.0.1.1649943\\*\IPC$0x1%%4416 4627001255400x8020000000000000378426Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x421267311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378425Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x4212673KerberosKerberos-{CD29EC46-70AE-0A81-4540-8FB76ECEE2F7}--00x0-10.0.1.1649943%%1833---%%18430x0%%1843 5140101280800x8010000000000000378616Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649960\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378615Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f0b63 5140101280800x8010000000000000378614Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649958\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378613Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f0e93 5140101280800x8010000000000000378612Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649958\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378611Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41f0e9311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378610Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41f0e93KerberosKerberos-{982703B7-2BBD-D576-0611-EABEAFBB7F7E}--00x0-10.0.1.1649962%%1833---%%18430x0%%1843 4634001254500x8020000000000000378609Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f0d13 5140101280800x8010000000000000378608Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649961\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378607Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41f0d1311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378606Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41f0d13KerberosKerberos-{982703B7-2BBD-D576-0611-EABEAFBB7F7E}--00x0-10.0.1.1649961%%1833---%%18430x0%%1843 4627001255400x8020000000000000378605Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41f0b6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378604Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41f0b63KerberosKerberos-{982703B7-2BBD-D576-0611-EABEAFBB7F7E}--00x0-10.0.1.1649960%%1833---%%18430x0%%1843 5145001281100x8020000000000000378603Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649958\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378602Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41f082File10.0.1.1649958\\*\IPC$0x1%%4416 4627001255400x8020000000000000378601Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41f082311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378600Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41f0823KerberosKerberos-{982703B7-2BBD-D576-0611-EABEAFBB7F7E}--00x0-10.0.1.1649958%%1833---%%18430x0%%1843 4634001254500x8020000000000000378498Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e5d63 4634001254500x8020000000000000378497Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e5c13 5140101280800x8010000000000000378496Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649935\\*\C$\??\C:\0x1%%4416 5140101280800x8010000000000000378495Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649933\\*\C$\??\C:\0x1%%4416 4634001254500x8020000000000000378494Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e5a73 4627001255400x8020000000000000378493Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e5d6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378492Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e5d63KerberosKerberos-{6BFF2062-8110-C84D-DA1F-DB39AAB9B1ED}--00x0-10.0.1.1649937%%1833---%%18430x0%%1843 4627001255400x8020000000000000378491Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e5c1311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378490Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e5c13KerberosKerberos-{6BFF2062-8110-C84D-DA1F-DB39AAB9B1ED}--00x0-10.0.1.1649936%%1833---%%18430x0%%1843 5140101280800x8010000000000000378489Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649933\\*\ADMIN$\??\C:\Windows0x1%%4416 5140101280800x8010000000000000378488Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649933\\*\ADMIN$\??\C:\Windows0x1%%4416 4627001255400x8020000000000000378487Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e5a7311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378486Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e5a73KerberosKerberos-{6BFF2062-8110-C84D-DA1F-DB39AAB9B1ED}--00x0-10.0.1.1649935%%1833---%%18430x0%%1843 5145001281100x8020000000000000378485Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649933\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000378484Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x41e57dFile10.0.1.1649933\\*\IPC$0x1%%4416 4627001255400x8020000000000000378483Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x41e57d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000378482Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x41e57d3KerberosKerberos-{6BFF2062-8110-C84D-DA1F-DB39AAB9B1ED}--00x0-10.0.1.1649933%%1833---%%18430x0%%1843 03/27/2023 06:33:48 PM LogName=Directory Service EventCode=1644 EventType=4 ComputerName=ar-win-dc.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-3061066544-971859979-4169126676-1123 SidType=0 SourceName=Microsoft-Windows-ActiveDirectory_DomainService Type=Information RecordNumber=211 Keywords=Classic TaskCategory=Field Engineering OpCode=The operation completed successfully. Message=Internal event: A client issued a search operation with the following options. Client: 10.0.1.16:49929 Starting node: DC=attackrange,DC=local Filter: ( & (objectClass=computer) (dNSHostName=*) (operatingSystem=*) (servicePrincipalName=*) ) Search scope: subtree Attribute selection: [all] Server controls: Visited entries: 109 Returned entries: 10 Used indexes: idx_objectClass:109:N; Pages referenced: 1660 Pages read from disk: 0 Pages preread from disk: 0 Clean pages modified: 0 Dirty pages modified: 0 Search time (ms): 16 Attributes Preventing Optimization: none User: ATTACKRANGE\ELMER_SALAS 4769001433700x8020000000000000211428Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-6$ATTACKRANGE\AR-WIN-6$0x408100000x12::ffff:10.0.1.16499750x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4634001254500x8020000000000000211427Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x5e8b5a3 4634001254500x8020000000000000211426Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x5e8b1e3 4634001254500x8020000000000000211425Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e8b8e3 4624201254400x8020000000000000211424Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5e8b8e3KerberosKerberos-{96ba6252-c73f-db27-425e-f2ca5e17fbde}--00x0-fe80::25f1:ea03:8efd:c46252735%%1833---%%18430x0%%1842 4672001254800x8020000000000000211423Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e8b8eSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000211422Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x5e8b5a3KerberosKerberos-{6001d6ad-f3d7-36bd-f24b-9f768b29a3b7}--00x0-10.0.1.1649973%%1840---%%18430x0%%1842 4634001254500x8020000000000000211421Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x5e8b2b3 4624201254400x8020000000000000211420Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x5e8b2b3KerberosKerberos-{6001d6ad-f3d7-36bd-f24b-9f768b29a3b7}--00x0-10.0.1.1649972%%1840---%%18430x0%%1842 4624201254400x8020000000000000211419Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x5e8b1e3KerberosKerberos-{6001d6ad-f3d7-36bd-f24b-9f768b29a3b7}--00x0-10.0.1.1649971%%1840---%%18430x0%%1842 4624201254400x8020000000000000211418Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x5e8ad83KerberosKerberos-{6001d6ad-f3d7-36bd-f24b-9f768b29a3b7}--00x0-10.0.1.1649968%%1840---%%18430x0%%1842 4769001433700x8020000000000000211417Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALkrbtgtATTACKRANGE\krbtgt0x608100100x12::ffff:10.0.1.16499700x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211416Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.16499690x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211415Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-10$ATTACKRANGE\AR-WIN-10$0x408100000x12::ffff:10.0.1.16499640x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211414Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-4$ATTACKRANGE\AR-WIN-4$0x408100000x12::ffff:10.0.1.16499590x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211413Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-9$ATTACKRANGE\AR-WIN-9$0x408100000x12::ffff:10.0.1.16499540x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211412Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-5$ATTACKRANGE\AR-WIN-5$0x408100000x12::ffff:10.0.1.16499490x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211411Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-2$ATTACKRANGE\AR-WIN-2$0x408100000x12::ffff:10.0.1.16499440x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211410Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-8$ATTACKRANGE\AR-WIN-8$0x408100000x12::ffff:10.0.1.16499390x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4769001433700x8020000000000000211409Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-7$ATTACKRANGE\AR-WIN-7$0x408100000x12::ffff:10.0.1.16499340x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4624201254400x8020000000000000211408Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x5e8a933KerberosKerberos-{6001d6ad-f3d7-36bd-f24b-9f768b29a3b7}--00x0-10.0.1.1649929%%1833---%%18430x0%%1842 4769001433700x8020000000000000211407Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.16499320x0{2de16c32-2cb8-8587-beed-ff49614468e8}- 4768001433900x8020000000000000211406Securityar-win-dc.attackrange.localELMER_SALASATTACKRANGE.LOCALATTACKRANGE\ELMER_SALASkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1649931 5145001281100x8020000000000000380393Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec351Filefe80::f916:d4d5:1a47:56349979\\*\C$\??\C:\\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000380392Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec351Filefe80::f916:d4d5:1a47:56349979\\*\C$\??\C:\0x1%%4416 5140101280800x8020000000000000380391Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec351Filefe80::f916:d4d5:1a47:56349979\\*\IPC$0x1%%4416 5145001281100x8020000000000000380390Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec351Filefe80::f916:d4d5:1a47:56349979\\*\ADMIN$\??\C:\Windows\0x100081%%1541 %%4416 %%4423 - 5140101280800x8020000000000000380389Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec351Filefe80::f916:d4d5:1a47:56349979\\*\ADMIN$\??\C:\Windows0x1%%4416 4670001357000x8020000000000000380388Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e7SecurityToken-0x12ccD:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x498C:\Windows\System32\svchost.exe 410515102150x0144613Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb339ca96-7088-4414-8364-3ce920ab1b94bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144612Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local91e1128b-787f-4f16-bcc5-10ac75a6fd16bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144611Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local841008c8-e294-44b3-815b-2be533e31a9abc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144610Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local841008c8-e294-44b3-815b-2be533e31a9abc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144609Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local91e1128b-787f-4f16-bcc5-10ac75a6fd16bc087cb4-e618-4961-92c6-eee5f0231abc 4104152150x0144608Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11prompt91e1128b-787f-4f16-bcc5-10ac75a6fd16 410615103150x0144607Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local817c2d72-0fb0-43e2-bfd0-6b0a58dca00dbc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144606Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local817c2d72-0fb0-43e2-bfd0-6b0a58dca00dbc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144605Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0fb3c4ae-6549-4bca-9c47-f708ca9d1b9ebc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144604Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144603Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144602Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144601Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144600Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144599Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144598Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144597Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144596Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144595Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144594Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144593Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144592Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144591Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144590Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144589Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144588Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144587Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144586Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144585Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locald5d57344-86ae-45c3-a2ac-c345079751e1bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144584Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local065a6349-829e-4054-970c-907f82e62c49bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144583Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local065a6349-829e-4054-970c-907f82e62c49bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144582Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0fb3c4ae-6549-4bca-9c47-f708ca9d1b9ebc087cb4-e618-4961-92c6-eee5f0231abc 4104152150x0144581Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11invoke-sharefinder -CheckShareAccess0fb3c4ae-6549-4bca-9c47-f708ca9d1b9e 410615103150x0144580Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb339ca96-7088-4414-8364-3ce920ab1b94bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144579Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb339ca96-7088-4414-8364-3ce920ab1b94bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144578Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbcada747-70a9-44e1-9d9c-0356da1223a3bc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144577Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local841008c8-e294-44b3-815b-2be533e31a9abc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144576Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local841008c8-e294-44b3-815b-2be533e31a9abc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144575Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbcada747-70a9-44e1-9d9c-0356da1223a3bc087cb4-e618-4961-92c6-eee5f0231abc 4104152150x0144574Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11promptbcada747-70a9-44e1-9d9c-0356da1223a3 410615103150x0144573Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local817c2d72-0fb0-43e2-bfd0-6b0a58dca00dbc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144572Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local817c2d72-0fb0-43e2-bfd0-6b0a58dca00dbc087cb4-e618-4961-92c6-eee5f0231abc 410615103150x0144571Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb9207641-fb09-4fef-bd7b-ecf2b3f5bbb3bc087cb4-e618-4961-92c6-eee5f0231abc 410515102150x0144570Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb9207641-fb09-4fef-bd7b-ecf2b3f5bbb3bc087cb4-e618-4961-92c6-eee5f0231abc 4104152150x0144569Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11klist purgeb9207641-fb09-4fef-bd7b-ecf2b3f5bbb3 410615103150x0144568Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localb339ca96-7088-4414-8364-3ce920ab1b94bc087cb4-e618-4961-92c6-eee5f0231abc 154100x800000000000000016604Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:45.558{C9DE9129-E189-6421-5D04-00000000D502}4168C:\Windows\System32\klist.exe10.0.14393.0 (rs1_release.160715-1616)Tool for managing the Kerberos ticket cacheMicrosoft® Windows® Operating SystemMicrosoft Corporationklist.exe"C:\Windows\system32\klist.exe" purgeC:\Users\elmer_salas\Downloads\ATTACKRANGE\ELMER_SALAS{C9DE9129-BD09-6421-51C3-0E0000000000}0xec3512MediumMD5=1B4E8E3355E782F088EE2A2F54CE7D49,SHA256=4E05E47D6344D8693CF95B1B2F74FD0D372E054485924E8917E9A38A78505B11,IMPHASH=A0A80AE53522E99D3577B6DBDD68291D{C9DE9129-BD45-6421-4101-00000000D502}1408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypassATTACKRANGE\ELMER_SALAS 4689001331300x8020000000000000380387Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec3510x00x1048C:\Windows\System32\klist.exe 4688201331200x8020000000000000380386Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0xec3510x1048C:\Windows\System32\klist.exe%%19380x580"C:\Windows\system32\klist.exe" purgeNULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\Medium Mandatory Level 154100x800000000000000019033Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:33:27.926{54d3457e-e177-6421-d604-000000004902}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211405Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1890C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000211404Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x634C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019032Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:33:26.937{54d3457e-e176-6421-d504-000000004902}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019031Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:33:26.187{54d3457e-e176-6421-d404-000000004902}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211403Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1edcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211402Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e684f3 4624201254400x8020000000000000211401Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5e684f3KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-::152734%%1833---%%18430x0%%1842 4672001254800x8020000000000000211400Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e684fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000019030Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:33:24.382{54d3457e-e174-6421-d304-000000004902}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211399Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1ad8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019029Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:33:21.957{54d3457e-e171-6421-d204-000000004902}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211398Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1a34C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3448","Execution_ThreadID":"2424","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3448","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.7544207Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3448","Execution_ThreadID":"2424","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3448","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.753445Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:59Z"} 4689001331300x8020000000000000378599Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x3a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378598Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x3a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015587Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:33:05.105{8FCC9F6C-E161-6421-1B04-00000000D502}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1984--- 4673001305600x8010000000000000148890Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe {"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF330E0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"3264","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF330E0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:04.0801642Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:05Z"} 4673001305600x8010000000000000149477Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe 7300x8000000000000029740Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF330E0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"3264","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF330E0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:04.0801642Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:05Z"} 4689001331300x8020000000000000378655Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xa20C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015592Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:33:04.893{9792FEB4-E160-6421-1904-00000000D502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378654Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xa20C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378653Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xc38C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378597Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378596Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015586Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:33:04.347{8FCC9F6C-E160-6421-1A04-00000000D502}1408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 7300x8000000000000029756Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"3376","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3376","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:03.7613821Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:04Z"} 7300x8000000000000029755Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"3376","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3376","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:03.7588258Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:04Z"} 4688201331200x8020000000000000378652Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xc38C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015591Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:33:04.136{9792FEB4-E160-6421-1804-00000000D502}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378595Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xd30C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378594Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xd30C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015585Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:33:03.593{8FCC9F6C-E15F-6421-1904-00000000D502}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378651Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xc7cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378650Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xc7cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015590Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:33:03.316{9792FEB4-E15F-6421-1704-00000000D502}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378670Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378669Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015648Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:33:02.186{E6E25EEE-E15E-6421-1904-00000000D502}260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2008--- 154100x800000000000000015819Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:33:02.672{8fd3d7d2-e15e-6421-5b04-000000004902}3764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149476Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xeb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149475Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xeb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149474Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378649Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x718C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000378481Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xfccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378668Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x16cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378667Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x16cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015647Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:33:01.437{E6E25EEE-E15D-6421-1804-00000000D502}364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000149473Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149472Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x6d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149471Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x6d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015818Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:33:01.924{8fd3d7d2-e15d-6421-5a04-000000004902}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015817Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:33:01.172{8fd3d7d2-e15d-6421-5904-000000004902}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 7300x8000000000000029754Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9420000","EventID":"5","Execution_ProcessID":"4076","Execution_ThreadID":"740","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9420000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4076","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:00.6453447Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:01Z"} 4688201331200x8020000000000000378648Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x718C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015589Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:33:00.886{9792FEB4-E15C-6421-1604-00000000D502}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378480Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xfccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017326Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:33:00.828{0F843AFE-E15C-6421-1804-00000000D502}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378593Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xfecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378592Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xfecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378666Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378665Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015646Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:33:00.686{E6E25EEE-E15C-6421-1704-00000000D502}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 154100x800000000000000015584Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:33:00.776{8FCC9F6C-E15C-6421-1804-00000000D502}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1984--- 154100x800000000000000016603Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:33:00.091{C9DE9129-E15C-6421-5C04-00000000D502}4748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000380385Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x128cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380384Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x128cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4673001305600x8010000000000000148889Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe 4689001331300x8020000000000000378479Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x3acC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378478Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x3acC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017325Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:33:00.069{0F843AFE-E15C-6421-1704-00000000D502}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1844--- 4673001305600x8010000000000000149470Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe 4689001331300x8020000000000000378591Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x3f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378590Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x3f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015583Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:32:59.707{8FCC9F6C-E15B-6421-1704-00000000D502}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378387Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x130C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378386Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x130C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015598Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:32:59.574{CAB910BF-E15B-6421-1804-00000000D502}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000378477Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378476Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017324Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:32:59.311{0F843AFE-E15B-6421-1604-00000000D502}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 154100x800000000000000015816Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:32:59.066{8fd3d7d2-e15b-6421-5804-000000004902}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149469Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000149468Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380383Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1050C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380382Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1050C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016602Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:32:59.349{C9DE9129-E15B-6421-5B04-00000000D502}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 7300x8000000000000029932Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB62990000","EventID":"5","Execution_ProcessID":"3312","Execution_ThreadID":"472","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB62990000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:58.5935801Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:59Z"} 7300x8000000000000029931Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB61D30000","EventID":"5","Execution_ProcessID":"3312","Execution_ThreadID":"472","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB61D30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:58.5929845Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:59Z"} 7300x8000000000000029930Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB681D0000","EventID":"5","Execution_ProcessID":"3312","Execution_ThreadID":"488","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB681D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:58.4342128Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:59Z"} 4689001331300x8020000000000000148888Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xd10C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000380381Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xcf0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000380380Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xcf0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016601Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:32:58.584{C9DE9129-E15A-6421-5A04-00000000D502}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000378647Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xe18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378646Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xe18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015588Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:32:58.285{9792FEB4-E15A-6421-1504-00000000D502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378424Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xe8cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378423Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe8cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015563Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:32:58.319{B5208300-E15A-6421-1704-00000000D502}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000015829Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:32:58.781{94bfb0cf-e15a-6421-5d04-000000004902}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000148887Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xd10C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148886Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378385Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xd90C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378384Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xd90C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378383Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378382Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015597Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:32:58.810{CAB910BF-E15A-6421-1704-00000000D502}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015596Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:32:58.054{CAB910BF-E15A-6421-1604-00000000D502}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 7300x8000000000000029739Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.2443858Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} 7300x8000000000000029738Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.2438644Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} 7300x8000000000000029737Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA38550000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"2456","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA38550000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.0547186Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"188","Execution_ThreadID":"2748","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.6536596Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"188","Execution_ThreadID":"2748","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:55.6532214Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA58720000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"1616","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA58720000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:54.6083833Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:56Z"} 154100x800000000000000015828Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:32:57.921{94bfb0cf-e159-6421-5c04-000000004902}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000148885Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x1040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015815Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:32:57.320{8fd3d7d2-e159-6421-5704-000000004902}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149467Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xe40C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000149466Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xe40C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015645Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:32:57.122{E6E25EEE-E159-6421-1604-00000000D502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378664Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xedcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378663Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xedcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378422Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xa10C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378421Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa10C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015562Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:32:57.548{B5208300-E159-6421-1604-00000000D502}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"3324","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.8680143Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"3324","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.8672992Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"2992","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6984244Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029716Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"2036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6475321Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029715Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"2036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6468629Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029714Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA5FCC0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"908","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA5FCC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.4665981Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"2036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6475321Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"2036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6468629Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} {"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA5FCC0000","EventID":"5","Execution_ProcessID":"2592","Execution_ThreadID":"908","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA5FCC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2592","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.4665981Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029728Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"3324","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.8680143Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029727Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"3324","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.8672992Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 7300x8000000000000029726Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"3820","Execution_ThreadID":"2992","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3820","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:55.6984244Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:57Z"} 4689001331300x8020000000000000148884Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x5d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378420Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xeecC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378419Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xeecC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015561Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:32:56.784{B5208300-E158-6421-1504-00000000D502}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000016600Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:32:56.523{C9DE9129-E158-6421-5904-00000000D502}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000380379Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xe04C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000380378Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xe04C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378475Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xa20C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015644Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:32:56.048{E6E25EEE-E158-6421-1504-00000000D502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378662Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xc74C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378661Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xc74C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000148883Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x5d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148882Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xe38C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000148881Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xe38C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015827Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:32:56.826{94bfb0cf-e158-6421-5b04-000000004902}1496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015826Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:32:56.020{94bfb0cf-e158-6421-5a04-000000004902}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3000--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.3982461Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.3973319Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC0A490000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"828","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFC0A490000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.2136205Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} 4688201331200x8020000000000000378474Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xa20C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017323Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:32:56.052{0F843AFE-E158-6421-1504-00000000D502}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378473Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x83cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378472Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x83cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017322Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:32:55.173{0F843AFE-E157-6421-1404-00000000D502}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1844--- 7300x8000000000000029761Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.3982461Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} 7300x8000000000000029760Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.3973319Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} 7300x8000000000000029759Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC0A490000","EventID":"5","Execution_ProcessID":"528","Execution_ThreadID":"828","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFC0A490000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"528","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:54.2136205Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:55Z"} 4689001331300x8020000000000000378381Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x210C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015560Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:32:54.206{B5208300-E156-6421-1404-00000000D502}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378418Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x9b4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378417Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x9b4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380377Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000380376Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016599Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:32:54.541{C9DE9129-E156-6421-5804-00000000D502}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1876--- 4688201331200x8020000000000000378380Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x210C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378379Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xb48C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378378Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xb48C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015595Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:32:54.886{CAB910BF-E156-6421-1504-00000000D502}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015594Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:32:54.083{CAB910BF-E156-6421-1404-00000000D502}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000148880Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x111cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000148879Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x111cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015825Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:32:54.148{94bfb0cf-e156-6421-5904-000000004902}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000378416Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xb1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000015559Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:32:51.864{B5208300-E153-6421-1304-00000000D502}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 4688201331200x8020000000000000378415Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000211397Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xae4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019028Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:32:27.915{54d3457e-e13b-6421-d104-000000004902}2788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211396Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019027Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:32:26.776{54d3457e-e13a-6421-d004-000000004902}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019026Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:32:26.173{54d3457e-e13a-6421-cf04-000000004902}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211395Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211394Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e00353 4624201254400x8020000000000000211393Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5e00353KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-::152733%%1833---%%18430x0%%1842 4672001254800x8020000000000000211392Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5e0035SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000019025Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:32:24.372{54d3457e-e138-6421-ce04-000000004902}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211391Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xaccC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019024Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:32:21.953{54d3457e-e135-6421-cd04-000000004902}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211390Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x658C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.3484322Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.3479317Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF352B0000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF352B0000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.1293064Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} 154100x800000000000000015582Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:32:05.094{8FCC9F6C-E125-6421-1604-00000000D502}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1984--- 7300x8000000000000029739Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.3484322Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} 7300x8000000000000029738Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.3479317Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} 7300x8000000000000029737Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF352B0000","EventID":"5","Execution_ProcessID":"3168","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFF352B0000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3168","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:04.1293064Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:05Z"} 4689001331300x8020000000000000378645Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xc60C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378589Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xe3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378588Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xe3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015587Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:32:04.919{9792FEB4-E124-6421-1404-00000000D502}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378644Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xc60C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378587Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xc74C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378586Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xc74C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015581Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:32:04.327{8FCC9F6C-E124-6421-1504-00000000D502}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378643Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378642Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015586Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:32:04.150{9792FEB4-E124-6421-1304-00000000D502}1568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000029753Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"1892","Execution_ThreadID":"704","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1892","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:03.6629301Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:04Z"} 7300x8000000000000029752Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"1892","Execution_ThreadID":"704","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1892","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:03.6622452Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:04Z"} 4689001331300x8020000000000000378585Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378584Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015580Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:32:03.575{8FCC9F6C-E123-6421-1404-00000000D502}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378641Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x6e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378640Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x6e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015585Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:32:03.316{9792FEB4-E123-6421-1204-00000000D502}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000015814Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:32:02.721{8fd3d7d2-e122-6421-5604-000000004902}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015643Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:32:02.089{E6E25EEE-E122-6421-1404-00000000D502}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000149465Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x11b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149464Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x11b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149463Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10xdecC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000378660Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x954C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378659Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x954C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378583Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x27cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015813Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:32:01.920{8fd3d7d2-e121-6421-5504-000000004902}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015812Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:32:01.162{8fd3d7d2-e121-6421-5404-000000004902}4728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 4688201331200x8020000000000000149462Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70xdecC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149461Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x1278C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149460Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x1278C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378658Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x298C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378657Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x298C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015642Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:32:01.422{E6E25EEE-E121-6421-1304-00000000D502}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378471Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xb30C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378639Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 7300x8000000000000029751Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE6B60000","EventID":"5","Execution_ProcessID":"636","Execution_ThreadID":"3560","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE6B60000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"636","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:00.6372145Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:01Z"} 154100x800000000000000015579Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:32:00.769{8FCC9F6C-E120-6421-1304-00000000D502}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378656Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x2f4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378655Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x2f4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015641Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:32:00.674{E6E25EEE-E120-6421-1204-00000000D502}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000378470Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xb30C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017321Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:32:00.808{0F843AFE-E120-6421-1304-00000000D502}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4688201331200x8020000000000000378638Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015584Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:32:00.872{9792FEB4-E120-6421-1104-00000000D502}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000380375Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x998C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380374Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x998C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016598Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:32:00.100{C9DE9129-E120-6421-5704-00000000D502}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 4688201331200x8020000000000000378582Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x27cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378469Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x9f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378468Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x9f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017320Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:32:00.052{0F843AFE-E120-6421-1204-00000000D502}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378581Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xb34C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378580Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xb34C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015578Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:31:59.683{8FCC9F6C-E11F-6421-1204-00000000D502}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1984--- 4689001331300x8020000000000000378467Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xe90C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378466Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xe90C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017319Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:31:59.299{0F843AFE-E11F-6421-1104-00000000D502}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 154100x800000000000000015593Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:31:59.563{CAB910BF-E11F-6421-1304-00000000D502}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000378377Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xfe4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378376Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xfe4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378375Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x3d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4689001331300x8020000000000000148878Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000015811Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:31:59.058{8fd3d7d2-e11f-6421-5304-000000004902}4620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149459Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x120cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000149458Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x120cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380373Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x13e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000380372Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x13e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016597Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:31:59.346{C9DE9129-E11F-6421-5604-00000000D502}5092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1876--- 7300x8000000000000029929Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB62990000","EventID":"5","Execution_ProcessID":"4976","Execution_ThreadID":"4808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB62990000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4976","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:58.586711Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:59Z"} 7300x8000000000000029928Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB61D30000","EventID":"5","Execution_ProcessID":"4976","Execution_ThreadID":"4808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB61D30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4976","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:58.5861749Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:59Z"} 7300x8000000000000029927Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB625B0000","EventID":"5","Execution_ProcessID":"4976","Execution_ThreadID":"1928","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFB625B0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4976","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:58.4224059Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:59Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"1264","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.2449862Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"1264","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:33:57.2445533Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:33:57Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.2443858Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.2438644Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} {"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA38550000","EventID":"5","Execution_ProcessID":"3804","Execution_ThreadID":"2456","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA38550000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3804","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:32:57.0547186Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:32:58Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA3CBF0000","EventID":"5","Execution_ProcessID":"3988","Execution_ThreadID":"3824","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA3CBF0000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3988","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:57.048727Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:58Z"} 4689001331300x8020000000000000378637Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xc90C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378636Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xc90C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015583Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:31:58.285{9792FEB4-E11E-6421-1004-00000000D502}3216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000380371Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x1370C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380370Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1370C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016596Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:31:58.573{C9DE9129-E11E-6421-5504-00000000D502}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000378414Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xe20C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378413Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe20C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015558Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:31:58.298{B5208300-E11E-6421-1204-00000000D502}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 4688201331200x8020000000000000378374Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x3d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378373Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xdc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015592Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:31:58.803{CAB910BF-E11E-6421-1204-00000000D502}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015591Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:31:58.050{CAB910BF-E11E-6421-1104-00000000D502}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 4688201331200x8020000000000000378372Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xdc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015824Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:58.784{94bfb0cf-e11e-6421-5804-000000004902}260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000148877Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148876Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x1238C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 7300x8000000000000029736Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA3CBF0000","EventID":"5","Execution_ProcessID":"3988","Execution_ThreadID":"3824","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFA3CBF0000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3988","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:57.048727Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:58Z"} 154100x800000000000000015823Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:57.926{94bfb0cf-e11d-6421-5704-000000004902}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000148875Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x1238C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149457Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000149456Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015810Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:31:57.318{8fd3d7d2-e11d-6421-5204-000000004902}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000378654Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xf94C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378653Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xf94C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015640Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:31:57.115{E6E25EEE-E11D-6421-1104-00000000D502}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378412Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x190C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378411Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x190C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378410Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x4b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015557Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:31:57.540{B5208300-E11D-6421-1104-00000000D502}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"3732","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.9525285Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"3732","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.9510855Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"4052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.699493Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 7300x8000000000000029725Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"3732","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.9525285Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 7300x8000000000000029724Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"3732","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.9510855Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 7300x8000000000000029723Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"1200","Execution_ThreadID":"4052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1200","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:55.699493Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 7300x8000000000000029735Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"1872","Execution_ThreadID":"3336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:56.1983638Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 7300x8000000000000029734Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"1872","Execution_ThreadID":"3336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:56.1966361Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 154100x800000000000000016595Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:31:56.502{C9DE9129-E11C-6421-5404-00000000D502}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000380369Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x174C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000380368Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x174C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378465Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xfecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378409Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x4b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015556Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:31:56.783{B5208300-E11C-6421-1004-00000000D502}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378652Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x750C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378651Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x750C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015639Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:31:56.050{E6E25EEE-E11C-6421-1004-00000000D502}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000148874Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xc94C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000148873Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xc94C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148872Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x674C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000148871Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x674C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015822Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:56.821{94bfb0cf-e11c-6421-5604-000000004902}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015821Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:56.001{94bfb0cf-e11c-6421-5504-000000004902}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3000--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.8227109Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.8183488Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA58720000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA58720000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.6064247Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029713Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.8227109Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029712Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.8183488Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029711Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA58720000","EventID":"5","Execution_ProcessID":"3608","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA58720000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3608","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.6064247Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 4688201331200x8020000000000000378464Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xfecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017318Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:31:56.048{0F843AFE-E11C-6421-1004-00000000D502}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1844--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.4407976Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.4403564Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC02090000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFC02090000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.2387113Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029758Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.4407976Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029757Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.4403564Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 7300x8000000000000029756Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC02090000","EventID":"5","Execution_ProcessID":"2060","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFC02090000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2060","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:54.2387113Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:56Z"} 4689001331300x8020000000000000378463Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10xe18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378462Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70xe18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017317Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:31:55.171{0F843AFE-E11B-6421-0F04-00000000D502}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378371Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x80cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000016594Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:31:54.533{C9DE9129-E11A-6421-5304-00000000D502}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000380367Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xedcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000380366Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xedcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000378370Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x80cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378369Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x170C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378368Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x170C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015590Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:31:54.888{CAB910BF-E11A-6421-1004-00000000D502}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015589Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:31:54.067{CAB910BF-E11A-6421-0F04-00000000D502}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015555Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:31:54.208{B5208300-E11A-6421-0F04-00000000D502}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378408Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xd60C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378407Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd60C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015820Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:54.144{94bfb0cf-e11a-6421-5404-000000004902}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000148870Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000148869Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378406Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xa2cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378405Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa2cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015554Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:31:51.848{B5208300-E117-6421-0E04-00000000D502}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 4688201331200x8020000000000000211389Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1a6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019023Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:31:27.923{54d3457e-e0ff-6421-cc04-000000004902}6764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211388Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019022Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:31:26.905{54d3457e-e0fe-6421-cb04-000000004902}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019021Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:31:26.148{54d3457e-e0fe-6421-ca04-000000004902}2496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211387Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x9c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211386Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5d96be3 4624201254400x8020000000000000211385Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x5d96be3KerberosKerberos-{5a7b2fcf-9231-83fc-baa3-e7ea93bf3dd7}--00x0-::152732%%1833---%%18430x0%%1842 4672001254800x8020000000000000211384Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5d96beSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000211383Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xac0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000019020Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:31:24.367{54d3457e-e0fc-6421-c904-000000004902}2752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3088--- 154100x800000000000000019019Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 18:31:21.958{54d3457e-e0f9-6421-c804-000000004902}8048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-b798-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3088--- 4688201331200x8020000000000000211382Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1f70C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc10"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 22542200x800000000000000015819Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:31:15.538{94bfb0cf-de51-6421-1c04-000000004902}420wpad9003-C:\Windows\system32\svchost.exeNT AUTHORITY\LOCAL SERVICE 4689001331300x8020000000000000378579Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xc8cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378578Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xc8cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015577Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:31:05.063{8FCC9F6C-E0E9-6421-1104-00000000D502}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1984--- 4673001305600x8010000000000000148868Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe 4673001305600x8010000000000000149455Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe 7300x8000000000000029736Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF299D0000","EventID":"5","Execution_ProcessID":"4056","Execution_ThreadID":"3528","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF299D0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4056","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:04.3316457Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:05Z"} 7300x8000000000000029735Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF29A00000","EventID":"5","Execution_ProcessID":"4056","Execution_ThreadID":"3528","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF29A00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4056","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:04.3306721Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:05Z"} 7300x8000000000000029734Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF330E0000","EventID":"5","Execution_ProcessID":"4056","Execution_ThreadID":"2424","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF330E0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4056","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:04.0821155Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:05Z"} 4689001331300x8020000000000000378635Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xfd8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015582Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:31:04.892{9792FEB4-E0E8-6421-0F04-00000000D502}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378634Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xfd8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378633Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10x8d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000015581Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:31:04.143{9792FEB4-E0E8-6421-0E04-00000000D502}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 4688201331200x8020000000000000378632Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x8d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378577Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10x1d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378576Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x1d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015576Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:31:04.309{8FCC9F6C-E0E8-6421-1004-00000000D502}468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 7300x8000000000000029750Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E60000","EventID":"5","Execution_ProcessID":"4064","Execution_ThreadID":"3452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4064","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:03.6990085Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:04Z"} 7300x8000000000000029749Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBD4E90000","EventID":"5","Execution_ProcessID":"4064","Execution_ThreadID":"3452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBD4E90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4064","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:03.6983532Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:04Z"} 154100x800000000000000015580Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:31:03.305{9792FEB4-E0E7-6421-0D04-00000000D502}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378631Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xee8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378630Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xee8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378575Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378574Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015575Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:31:03.570{8FCC9F6C-E0E7-6421-0F04-00000000D502}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1984--- 154100x800000000000000015809Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:31:02.706{8fd3d7d2-e0e6-6421-5104-000000004902}68C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015638Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:31:02.188{E6E25EEE-E0E6-6421-0F04-00000000D502}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378650Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xae8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378649Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xae8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149454Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149453Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149452Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000015808Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:31:01.913{8fd3d7d2-e0e5-6421-5004-000000004902}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2952--- 154100x800000000000000015807Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:31:01.156{8fd3d7d2-e0e5-6421-4f04-000000004902}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2952--- 4688201331200x8020000000000000149451Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000149450Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000149449Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378629Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xe50C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000378648Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x1d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378647Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x1d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015637Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:31:01.432{E6E25EEE-E0E5-6421-0E04-00000000D502}472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2008--- 4689001331300x8020000000000000378573Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xfd0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 7300x8000000000000029748Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBE9420000","EventID":"5","Execution_ProcessID":"4048","Execution_ThreadID":"3536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFBE9420000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4048","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:00.6445754Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:01Z"} 4688201331200x8020000000000000378628Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xe50C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015579Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:31:00.860{9792FEB4-E0E4-6421-0C04-00000000D502}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378646Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xcdcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378645Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xcdcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015636Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:31:00.682{E6E25EEE-E0E4-6421-0D04-00000000D502}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2008--- 154100x800000000000000015574Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:31:00.776{8FCC9F6C-E0E4-6421-0E04-00000000D502}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1984--- 4688201331200x8020000000000000378572Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xfd0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378461Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x630C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000017316Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:31:00.679{0F843AFE-E0E4-6421-0E04-00000000D502}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 4688201331200x8020000000000000378460Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x630C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380365Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x10d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380364Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016593Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:31:00.075{C9DE9129-E0E4-6421-5204-00000000D502}4312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- 4673001305600x8010000000000000148867Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x778C:\Windows\System32\svchost.exe 4689001331300x8020000000000000378571Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70x10xcc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4689001331300x8020000000000000378459Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x270C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378458Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x270C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017315Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:31:00.041{0F843AFE-E0E4-6421-0D04-00000000D502}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1844--- 4673001305600x8010000000000000149448Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x83cC:\Windows\System32\svchost.exe 4688201331200x8020000000000000378570Securityar-win-4.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-4$ATTACKRANGE0x3e70xcc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7c0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015573Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-27 18:30:59.687{8FCC9F6C-E0E3-6421-0D04-00000000D502}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-B797-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1984--- 154100x800000000000000015588Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:30:59.548{CAB910BF-E0E3-6421-0E04-00000000D502}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000378367Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xc50C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378366Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xc50C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378457Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x49cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378456Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x49cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017314Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:30:59.282{0F843AFE-E0E3-6421-0C04-00000000D502}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1844--- 154100x800000000000000015806Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:30:59.056{8fd3d7d2-e0e3-6421-4e04-000000004902}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149447Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x11ecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000149446Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x11ecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148866Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xd94C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 7300x8000000000000029926Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB62990000","EventID":"5","Execution_ProcessID":"2308","Execution_ThreadID":"4340","ImageBase":"0x7FFB62990000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2308","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:58.6069435Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:59Z"} 7300x8000000000000029925Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB61D30000","EventID":"5","Execution_ProcessID":"2308","Execution_ThreadID":"4340","ImageBase":"0x7FFB61D30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2308","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:58.6063745Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:59Z"} 4689001331300x8020000000000000380363Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xd3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000380362Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xd3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016592Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:30:59.315{C9DE9129-E0E3-6421-5104-00000000D502}3388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1876--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"1872","Execution_ThreadID":"3336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:56.1983638Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"1872","Execution_ThreadID":"3336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:31:56.1966361Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:31:57Z"} 4688201331200x8020000000000000148865Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xd94C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380361Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000380360Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016591Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:30:58.564{C9DE9129-E0E2-6421-5004-00000000D502}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1876--- 4689001331300x8020000000000000378627Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70x10xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378626Securityar-win-9.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-9$ATTACKRANGE0x3e70xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7ac"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015578Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-27 18:30:58.276{9792FEB4-E0E2-6421-0B04-00000000D502}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-B795-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4689001331300x8020000000000000378404Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x5a0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378403Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x5a0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015553Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:30:58.261{B5208300-E0E2-6421-0D04-00000000D502}1440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378365Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xc60C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000378364Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xc60C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378363Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xa3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378362Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xa3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015587Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:30:58.807{CAB910BF-E0E2-6421-0D04-00000000D502}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015586Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:30:58.048{CAB910BF-E0E2-6421-0C04-00000000D502}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1956--- 7300x8000000000000029755Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFF980000","EventID":"5","Execution_ProcessID":"2620","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFF980000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2620","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.5358191Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029754Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFBFFAB0000","EventID":"5","Execution_ProcessID":"2620","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFBFFAB0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2620","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.5353648Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029753Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFC00330000","EventID":"5","Execution_ProcessID":"2620","Execution_ThreadID":"3548","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFC00330000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2620","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.3734895Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 154100x800000000000000015818Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:30:58.784{94bfb0cf-e0e2-6421-5304-000000004902}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3000--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2400","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.2866501Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2400","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.2859161Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA32630000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2128","ImageBase":"0x7FFA32630000","ImageCheckSum":"253833","ImageLoaded":"\\Windows\\System32\\adsldpc.dll","ImageName":"\\Windows\\System32\\adsldpc.dll","ImageSize":"0x42000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\adsldpc.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.0249234Z","TimeDateStamp":"1468635677","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029924Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB681D0000","EventID":"5","Execution_ProcessID":"2308","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-regmon.exe","ImageBase":"0x7FFB681D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2308","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:58.4138317Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029733Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A310000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2400","ImageBase":"0x7FFA2A310000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.2866501Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029732Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA2A340000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2400","ImageBase":"0x7FFA2A340000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.2859161Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 7300x8000000000000029731Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA32630000","EventID":"5","Execution_ProcessID":"908","Execution_ThreadID":"2128","ImageBase":"0x7FFA32630000","ImageCheckSum":"253833","ImageLoaded":"\\Windows\\System32\\adsldpc.dll","ImageName":"\\Windows\\System32\\adsldpc.dll","ImageSize":"0x42000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\adsldpc.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"908","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:57.0249234Z","TimeDateStamp":"1468635677","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:58Z"} 4689001331300x8020000000000000148864Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xc88C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015817Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:30:57.923{94bfb0cf-e0e1-6421-5204-000000004902}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 154100x800000000000000015805Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-27 18:30:57.319{8fd3d7d2-e0e1-6421-4d04-000000004902}1876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-b796-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2952--- 4689001331300x8020000000000000149445Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x10x754C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000149444Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e70x754C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xb88"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378644Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10x38cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378643Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x38cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015635Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:30:57.090{E6E25EEE-E0E1-6421-0C04-00000000D502}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000148863Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xc88C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148862Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x2d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000378402Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xf24C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000378401Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf24C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378400Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000015552Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:30:57.510{B5208300-E0E1-6421-0C04-00000000D502}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000029722Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF80FC60000","EventID":"5","Execution_ProcessID":"864","Execution_ThreadID":"972","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF80FC60000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"864","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:55.98195Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:57Z"} 7300x8000000000000029721Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8109B0000","EventID":"5","Execution_ProcessID":"864","Execution_ThreadID":"972","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF8109B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"864","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:55.9812369Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:57Z"} 7300x8000000000000029720Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF819410000","EventID":"5","Execution_ProcessID":"864","Execution_ThreadID":"1972","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FF819410000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"864","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:55.685734Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:57Z"} 4688201331200x8020000000000000378399Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000380359Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10x448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000380358Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016590Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:30:56.486{C9DE9129-E0E0-6421-4F04-00000000D502}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1876--- 154100x800000000000000015551Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:30:56.766{B5208300-E0E0-6421-0B04-00000000D502}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378455Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x68cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000378642Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70x10xc6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378641Securityar-win-5.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-5$ATTACKRANGE0x3e70xc6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015634Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-27 18:30:56.058{E6E25EEE-E0E0-6421-0B04-00000000D502}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-B794-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2008--- 4688201331200x8020000000000000148861Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x2d4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148860Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10xf1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000015816Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:30:56.812{94bfb0cf-e0e0-6421-5104-000000004902}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3000--- 7300x8000000000000029710Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9A0000","EventID":"5","Execution_ProcessID":"300","Execution_ThreadID":"2308","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:54.8153129Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:56Z"} 7300x8000000000000029709Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA4D9D0000","EventID":"5","Execution_ProcessID":"300","Execution_ThreadID":"2308","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA4D9D0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:54.8142307Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:56Z"} 7300x8000000000000029708Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFA58720000","EventID":"5","Execution_ProcessID":"300","Execution_ThreadID":"2308","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFA58720000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T18:30:54.6014006Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T18:30:56Z"} 4688201331200x8020000000000000378454Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x68cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017313Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:30:56.039{0F843AFE-E0E0-6421-0B04-00000000D502}1676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1844--- 4688201331200x8020000000000000148859Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70xf1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015815Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:30:55.989{94bfb0cf-e0df-6421-5004-000000004902}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3000--- 4689001331300x8020000000000000378453Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x10x12cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378452Securityar-win-7.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-7$ATTACKRANGE0x3e70x12cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x734"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000017312Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-27 18:30:55.165{0F843AFE-E0DF-6421-0A04-00000000D502}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1844--- 4689001331300x8020000000000000378361Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10xe04C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4689001331300x8020000000000000380357Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10xd00C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000380356Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xd00C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x754"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000016589Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-27 18:30:54.528{C9DE9129-E0DE-6421-4E04-00000000D502}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-B793-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1876--- 154100x800000000000000015550Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:30:54.198{B5208300-E0DE-6421-0A04-00000000D502}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 4689001331300x8020000000000000378398Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x3d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000378397Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x3d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000148858Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x10x974C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000148857Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e70x974C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xbb8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015814Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-27 18:30:54.141{94bfb0cf-e0de-6421-4f04-000000004902}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-b792-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3000--- 4688201331200x8020000000000000378360Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70xe04C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000378359Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x10x274C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000378358Securityar-win-8.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-8$ATTACKRANGE0x3e70x274C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a4"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000015585Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:30:54.882{CAB910BF-E0DE-6421-0B04-00000000D502}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1956--- 154100x800000000000000015584Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-27 18:30:54.056{CAB910BF-E0DE-6421-0A04-00000000D502}628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-B792-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1956--- 4689001331300x8020000000000000378396Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000015549Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 18:30:51.831{B5208300-E0DB-6421-0904-00000000D502}1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-B78F-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 4688201331200x8020000000000000378395Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x760"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000211381Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x5d3d923