703604000x8080000000000000121656Systemar-win-dc.attackrange.localWindows Updatestopped770075006100750073006500720076002F0031000000 4702101280400x8020000000000000170571Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7\Microsoft\Windows\WindowsUpdate\Scheduled Start<?xml version="1.0" encoding="UTF-16"?> <Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Source>Microsoft Corporation.</Source> <Author>Microsoft Corporation.</Author> <Description>This task is used to start the Windows Update service when needed to perform scheduled operations such as scans.</Description> <URI>\Microsoft\Windows\WindowsUpdate\Scheduled Start</URI> <SecurityDescriptor>D:(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <StartBoundary>2023-04-07T17:43:11Z</StartBoundary> <Enabled>true</Enabled> <RandomDelay>PT1M</RandomDelay> </TimeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>ConsoleDisconnect</StateChange> </SessionStateChangeTrigger> <SessionStateChangeTrigger> <Enabled>false</Enabled> <StateChange>RemoteDisconnect</StateChange> </SessionStateChangeTrigger> <WnfStateChangeTrigger> <Enabled>false</Enabled> <StateName>7508BCA3380C960C</StateName> <Data>01</Data> <DataOffset>0</DataOffset> </WnfStateChangeTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <RunLevel>LeastPrivilege</RunLevel> <UserId>NT AUTHORITY\SYSTEM</UserId> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <Duration>PT10M</Duration> <WaitTimeout>PT1H</WaitTimeout> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>false</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="LocalSystem"> <Exec> <Command>C:\Windows\system32\sc.exe</Command> <Arguments>start wuauserv</Arguments> </Exec> </Actions> </Task>16522581132916297725846040ar-win-dc.attackrange.local 4673001305600x8020000000000000170570Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7NT Local Security Authority / Authentication ServiceLsaRegisterLogonProcess()SeTcbPrivilege0x270C:\Windows\System32\lsass.exe 4634001254500x8020000000000000170569Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE0x29bbac13 154100x800000000000000053786Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:45:55.536{F02F376E-1363-642F-1B1E-00000000D802}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402420Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf14C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000402419Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf90C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000402418Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbfcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053785Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:45:54.793{F02F376E-1362-642F-1A1E-00000000D802}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1892--- 154100x800000000000000053784Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:45:54.031{F02F376E-1362-642F-191E-00000000D802}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"3452","Execution_ThreadID":"1032","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3452","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:46:49.6106058Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:46:50Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"3452","Execution_ThreadID":"1032","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3452","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:46:49.6096724Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:46:50Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFEA89C0000","EventID":"5","Execution_ProcessID":"3452","Execution_ThreadID":"3404","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFEA89C0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3452","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:46:49.3892071Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:46:50Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.5927932Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:50Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.5921726Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:50Z"} 7300x8000000000000051127Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.5927932Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:50Z"} 7300x8000000000000051126Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.5921726Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:50Z"} 154100x800000000000000053783Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:45:49.891{F02F376E-135D-642F-181E-00000000D802}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1892--- 154100x800000000000000053782Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:45:49.285{F02F376E-135D-642F-171E-00000000D802}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402417Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfc8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000402416Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb68C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000051125Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE9EFF0000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"3596","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE9EFF0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.3802709Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:49Z"} 4634001254500x8020000000000000170568Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aab123 4634001254500x8020000000000000170567Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ac49f3 4634001254500x8020000000000000170566Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE0x29bba303 4634001254500x8020000000000000170565Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE0x29bba923 4627001255400x8020000000000000170564Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-537851375-1300420925-1735565775-1111AR-WIN-2$ATTACKRANGE.LOCAL0x29bbac1311 ATTACKRANGE\Domain Computers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\MA-gordaysof-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3795} ATTACKRANGE\NE-vie-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3914} ATTACKRANGE\ER-bab-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3636} ATTACKRANGE\IN-ark-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3685} ATTACKRANGE\NI-mar-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3827} ATTACKRANGE\DA-caracteri-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4037} ATTACKRANGE\DA-exi-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3696} ATTACKRANGE\LE-310-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3985} ATTACKRANGE\MY-quinesita-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3645} ATTACKRANGE\AL-bbc193272-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3666} ATTACKRANGE\DE-281-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3947} ATTACKRANGE\ES-beto_1294-distlist1 %{S-1-18-1} Mandatory Label\Medium Plus Mandatory Level 4624201254400x8020000000000000170563Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE.LOCAL0x29bbac13KerberosKerberos-{a7630131-24ce-1514-b492-307c15ba2085}--00x0-10.0.1.1550055%%1840---%%18430x0%%1842 4627001255400x8020000000000000170562Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-537851375-1300420925-1735565775-1111AR-WIN-2$ATTACKRANGE.LOCAL0x29bba92311 ATTACKRANGE\Domain Computers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\MA-gordaysof-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3795} ATTACKRANGE\NE-vie-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3914} ATTACKRANGE\ER-bab-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3636} ATTACKRANGE\IN-ark-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3685} ATTACKRANGE\NI-mar-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3827} ATTACKRANGE\DA-caracteri-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4037} ATTACKRANGE\DA-exi-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3696} ATTACKRANGE\LE-310-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3985} ATTACKRANGE\MY-quinesita-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3645} ATTACKRANGE\AL-bbc193272-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3666} ATTACKRANGE\DE-281-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3947} ATTACKRANGE\ES-beto_1294-distlist1 %{S-1-18-1} Mandatory Label\Medium Plus Mandatory Level 4624201254400x8020000000000000170561Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE.LOCAL0x29bba923KerberosKerberos-{05e8b029-7af9-cdde-b47d-868d62173371}--00x0-10.0.1.1550054%%1833---%%18430x0%%1842 4627001255400x8020000000000000170560Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-537851375-1300420925-1735565775-1111AR-WIN-2$ATTACKRANGE.LOCAL0x29bba30311 ATTACKRANGE\Domain Computers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\MA-gordaysof-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3795} ATTACKRANGE\NE-vie-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3914} ATTACKRANGE\ER-bab-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3636} ATTACKRANGE\IN-ark-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3685} ATTACKRANGE\NI-mar-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3827} ATTACKRANGE\DA-caracteri-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4037} ATTACKRANGE\DA-exi-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3696} ATTACKRANGE\LE-310-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3985} ATTACKRANGE\MY-quinesita-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3645} ATTACKRANGE\AL-bbc193272-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3666} ATTACKRANGE\DE-281-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3947} ATTACKRANGE\ES-beto_1294-distlist1 %{S-1-18-1} Mandatory Label\Medium Plus Mandatory Level 4624201254400x8020000000000000170559Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE.LOCAL0x29bba303KerberosKerberos-{05e8b029-7af9-cdde-b47d-868d62173371}--00x0-10.0.1.1550053%%1833---%%18430x0%%1842 4634001254500x8020000000000000402415Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x247fedc3 4624201254400x8020000000000000402414Securityar-win-2.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE.LOCAL0x247fedc3KerberosKerberos-{CAF46C7C-2D41-CC37-AC8F-1796FBA9E0DE}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000402413Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x247fedcSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000170558Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-537851375-1300420925-1735565775-1111AR-WIN-2$ATTACKRANGE.LOCAL0x29bb97e311 ATTACKRANGE\Domain Computers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\MA-gordaysof-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3795} ATTACKRANGE\NE-vie-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3914} ATTACKRANGE\ER-bab-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3636} ATTACKRANGE\IN-ark-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3685} ATTACKRANGE\NI-mar-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3827} ATTACKRANGE\DA-caracteri-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4037} ATTACKRANGE\DA-exi-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3696} ATTACKRANGE\LE-310-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3985} ATTACKRANGE\MY-quinesita-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-3645} ATTACKRANGE\AL-bbc193272-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3666} ATTACKRANGE\DE-281-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3947} ATTACKRANGE\ES-beto_1294-distlist1 %{S-1-18-1} Mandatory Label\Medium Plus Mandatory Level 4624201254400x8020000000000000170557Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE.LOCAL0x29bb97e3KerberosKerberos-{05e8b029-7af9-cdde-b47d-868d62173371}--00x0-10.0.1.1550052%%1833---%%18430x0%%1842 4634001254500x8020000000000000170556Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ba0f83 4627001255400x8020000000000000170555Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29ba0f8311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170554Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29ba0f83KerberosKerberos-{f5b8e1b7-7cc8-708a-216a-0546bbb967ba}--00x0-::163608%%1833---%%18430x0%%1842 4672001254800x8020000000000000170553Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ba0f8SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4732001382600x8020000000000000170552Securityar-win-dc.attackrange.localCN=MAURICE_ANDERSON,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=localATTACKRANGE\MAURICE_ANDERSONDnsAdminsATTACKRANGEATTACKRANGE\DnsAdminsATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3- 4735001382600x8020000000000000170551Securityar-win-dc.attackrange.localDnsAdminsATTACKRANGEATTACKRANGE\DnsAdminsATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3--- 04/06/2023 18:45:13.034 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=DnsAdmins distinguishedName=CN=DnsAdmins,CN=Users,DC=attackrange,DC=local cn=DnsAdmins Object Details: sAMAccountType=536870912 sAMAccountName=DnsAdmins objectSid=S-1-5-21-537851375-1300420925-1735565775-1109 objectGUID=f17579e3-485f-4b07-82f6-d02fd6b5f35b whenChanged=06:45.13 PM, Thu 04/06/2023 whenCreated=02:19.23 AM, Sun 03/26/2023 objectClass=top|group Event Details: uSNChanged=98723 uSNCreated=12486 instanceType=4 Additional Details: dSCorePropagationData=20230326024245.0Z|20230326024244.0Z|20230326024242.0Z|20230326024241.0Z|16010714223649.0Z groupType=-2147483644 member=CN=MAURICIO_JOSEPH,OU=T2-Servers,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MAGGIE_LONG,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MAURICE_ANDERSON,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=DNS Administrators Group 04/06/2023 18:45:13.010 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=DnsAdmins distinguishedName=CN=DnsAdmins,CN=Users,DC=attackrange,DC=local cn=DnsAdmins Object Details: sAMAccountType=536870912 sAMAccountName=DnsAdmins objectSid=S-1-5-21-537851375-1300420925-1735565775-1109 objectGUID=f17579e3-485f-4b07-82f6-d02fd6b5f35b whenChanged=06:45.13 PM, Thu 04/06/2023 whenCreated=02:19.23 AM, Sun 03/26/2023 objectClass=top|group Event Details: uSNChanged=98723 uSNCreated=12486 instanceType=4 Additional Details: dSCorePropagationData=20230326024245.0Z|20230326024244.0Z|20230326024242.0Z|20230326024241.0Z|16010714223649.0Z groupType=-2147483644 member=CN=MAURICIO_JOSEPH,OU=T2-Servers,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MAGGIE_LONG,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MAURICE_ANDERSON,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=DNS Administrators Group 154100x800000000000000055604Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:10.705{f73635a5-1336-642f-1e1f-000000004b02}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055603Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:09.954{f73635a5-1335-642f-1d1f-000000004b02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055602Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:09.224{f73635a5-1335-642f-1c1f-000000004b02}5592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055601Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:08.481{f73635a5-1334-642f-1b1f-000000004b02}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055600Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:06.288{f73635a5-1332-642f-1a1f-000000004b02}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3144--- 354300x800000000000000055599Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:45:01.879{f73635a5-085a-642f-131e-000000004b02}5332C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14ar-win-dc.attackrange.local63606-false10.0.1.14ar-win-dc.attackrange.local3268msft-gc 4688201331200x8020000000000000402412Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbccC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053781Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:44:55.543{F02F376E-1327-642F-161E-00000000D802}3020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402411Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x5e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000402410Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf28C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053780Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:44:54.782{F02F376E-1326-642F-151E-00000000D802}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- 154100x800000000000000053779Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:44:54.028{F02F376E-1326-642F-141E-00000000D802}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402409Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xee8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053778Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:44:50.034{F02F376E-1322-642F-131E-00000000D802}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402408Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8ecC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053777Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:44:49.269{F02F376E-1321-642F-121E-00000000D802}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1892--- 7300x8000000000000051124Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2892","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.5833056Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} 7300x8000000000000051123Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2892","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.582545Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} 7300x8000000000000051122Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFEA5D10000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFEA5D10000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.3635862Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} 4634001254500x8020000000000000170550Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29b2b593 4627001255400x8020000000000000170549Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-537851375-1300420925-1735565775-1008AR-WIN-DC$ATTACKRANGE.LOCAL0x29b37af311 ATTACKRANGE\Domain Controllers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\SO-bthoma110-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4055} ATTACKRANGE\NE-505005000-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group NT AUTHORITY\NETWORK SERVICE Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170548Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE.LOCAL0x29b37af3KerberosKerberos-{6dda2bf5-1ef0-e2f8-6819-0cac33c35096}--00x0---%%1840---%%18430x0%%1842 4672001254800x8020000000000000170547Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE0x29b37afSeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 4627001255400x8020000000000000170546Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29b2b59311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170545Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29b2b593KerberosKerberos-{d4a080db-d3b9-f1ef-f295-e03abed17717}--00x0-fe80::ccd8:364c:b6d:dab259208%%1840---%%18430x0%%1842 4672001254800x8020000000000000170544Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29b2b59SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000170543Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aad943 4634001254500x8020000000000000170542Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29b160e3 4627001255400x8020000000000000170541Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29b160e311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170540Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29b160e3KerberosKerberos-{f5b8e1b7-7cc8-708a-216a-0546bbb967ba}--00x0-::159207%%1833---%%18430x0%%1842 4672001254800x8020000000000000170539Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29b160eSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000055598Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:10.612{f73635a5-12fa-642f-191f-000000004b02}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055597Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:09.973{f73635a5-12f9-642f-181f-000000004b02}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055596Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:09.221{f73635a5-12f9-642f-171f-000000004b02}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055595Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:08.480{f73635a5-12f8-642f-161f-000000004b02}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 22542200x800000000000000055594Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:05.105{00000000-0000-0000-0000-000000000000}5496ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;<unknown process>NT AUTHORITY\SYSTEM 703604000x8080000000000000121655Systemar-win-dc.attackrange.localDelivery Optimizationstopped44006F005300760063002F0031000000 703604000x8080000000000000121654Systemar-win-dc.attackrange.localDelivery Optimizationrunning44006F005300760063002F0034000000 4634001254500x8020000000000000170538Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afa4c3 4634001254500x8020000000000000170537Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afc9c3 4627001255400x8020000000000000170536Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29afc9c311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170535Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29afc9c3KerberosKerberos-{e2b4f8d7-35e8-8f89-bf85-59edfc2b9e31}--00x0---%%1833---%%18430x0%%1842 4672001254800x8020000000000000170534Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afc9cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000055593Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:06.471{f73635a5-12f6-642f-151f-000000004b02}5700C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-b37c-642d-2700-000000004b02}1712C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 4648001254400x8020000000000000170533Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7{00000000-0000-0000-0000-000000000000}AR-WIN-DC$ATTACKRANGE.LOCAL{e188fb90-56e3-b77b-5166-9c799603e1e8}ar-win-dc$ar-win-dc$0x1578C:\Windows\System32\taskhostw.exe-- 154100x800000000000000055592Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:06.363{f73635a5-12f6-642f-141f-000000004b02}3928C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-b37c-642d-2700-000000004b02}1712C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 4769001433700x8020000000000000170532Securityar-win-dc.attackrange.localAR-WIN-DC$@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::100x0{e188fb90-56e3-b77b-5166-9c799603e1e8}- 703604000x8080000000000000121653Systemar-win-dc.attackrange.localPortable Device Enumerator Servicerunning57005000440042007500730045006E0075006D002F0034000000 154100x800000000000000055591Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:06.269{f73635a5-12f6-642f-131f-000000004b02}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3144--- 4768001433900x8020000000000000170531Securityar-win-dc.attackrange.localAR-WIN-DC$ATTACKRANGE.LOCALATTACKRANGE\AR-WIN-DC$krbtgtATTACKRANGE\krbtgt0x408100100x00x122::10 154100x800000000000000055590Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:06.249{f73635a5-12f6-642f-121f-000000004b02}5496C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe SYSTEMC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-b37c-642d-2700-000000004b02}1712C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 4634001254500x8020000000000000170530Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afb383 154100x800000000000000055589Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:06.143{f73635a5-12f6-642f-111f-000000004b02}6584C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe ExploitGuardPolicyC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-b37c-642d-2700-000000004b02}1712C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 703604000x8080000000000000121652Systemar-win-dc.attackrange.localNetwork Connectivity Assistantstopped4E00630061005300760063002F0031000000 4634001254500x8020000000000000170529Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afbe63 4627001255400x8020000000000000170528Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29afbe6311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170527Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29afbe63KerberosKerberos-{e2b4f8d7-35e8-8f89-bf85-59edfc2b9e31}--00x0---%%1833---%%18430x0%%1842 4672001254800x8020000000000000170526Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afbe6SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4648001254400x8020000000000000170525Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7{00000000-0000-0000-0000-000000000000}AR-WIN-DC$ATTACKRANGE.LOCAL{e188fb90-56e3-b77b-5166-9c799603e1e8}ar-win-dc$ar-win-dc$0x1578C:\Windows\System32\taskhostw.exe-- 4769001433700x8020000000000000170524Securityar-win-dc.attackrange.localAR-WIN-DC$@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::100x0{e188fb90-56e3-b77b-5166-9c799603e1e8}- 4768001433900x8020000000000000170523Securityar-win-dc.attackrange.localAR-WIN-DC$ATTACKRANGE.LOCALATTACKRANGE\AR-WIN-DC$krbtgtATTACKRANGE\krbtgt0x408100100x00x122::10 4627001255400x8020000000000000170522Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29afb38311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170521Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29afb383KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-10.0.1.1459206%%1833---%%18430x0%%1842 4672001254800x8020000000000000170520Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afb38SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000170519Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29afa4c311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170518Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29afa4c3KerberosKerberos-{f5b8e1b7-7cc8-708a-216a-0546bbb967ba}--00x0-::159205%%1833---%%18430x0%%1842 4672001254800x8020000000000000170517Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29afa4cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4673001305600x8020000000000000170516Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7NT Local Security Authority / Authentication ServiceLsaRegisterLogonProcess()SeTcbPrivilege0x270C:\Windows\System32\lsass.exe 4634001254500x8020000000000000170515Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ad5d33 4627001255400x8020000000000000170514Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29ad5d3311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170513Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29ad5d33KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-fe80::ccd8:364c:b6d:dab259203%%1833---%%18430x0%%1842 4672001254800x8020000000000000170512Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ad5d3SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4672001254800x8020000000000000170511Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000170510Securityar-win-dc.attackrange.localS-1-5-18AR-WIN-DC$ATTACKRANGE0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e7511 BUILTIN\Administrators Everyone NT AUTHORITY\Authenticated Users Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170509Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x25cC:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 4672001254800x8020000000000000170508Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000170507Securityar-win-dc.attackrange.localS-1-5-18AR-WIN-DC$ATTACKRANGE0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e7511 BUILTIN\Administrators Everyone NT AUTHORITY\Authenticated Users Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170506Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x25cC:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 4674001305600x8010000000000000170505Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5LSA--0x016777216SeSecurityPrivilege0x270C:\Windows\System32\lsass.exe 4674001305600x8010000000000000170504Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5LSA--0x016777216SeSecurityPrivilege0x270C:\Windows\System32\lsass.exe 4674001305600x8010000000000000170503Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5LSA--0x016777216SeSecurityPrivilege0x270C:\Windows\System32\lsass.exe 4674001305600x8010000000000000170502Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5LSA--0x016777216SeSecurityPrivilege0x270C:\Windows\System32\lsass.exe 4627001255400x8020000000000000170501Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29ac49f311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170500Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29ac49f3KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-fe80::ccd8:364c:b6d:dab259199%%1833---%%18430x0%%1842 4672001254800x8020000000000000170499Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29ac49fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000170498Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aabb63 150204010x8000000000000000121651Systemar-win-dc.attackrange.local142130953\\ar-win-dc.attackrange.local2 13241300x800000000000000055588Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.localT1101SetValue2023-04-06 18:44:05.926{f73635a5-b379-642d-0b00-000000004b02}604C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001)NT AUTHORITY\SYSTEM 154100x800000000000000055587Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:05.028{f73635a5-12f5-642f-0d1f-000000004b02}4572C:\Windows\System32\gpupdate.exe10.0.17763.1518 (WinBuild.160101.0800)Microsoft® Group Policy Update UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationGPUpdate.exegpupdate /forceC:\Users\Administrator\ATTACKRANGE\Administrator{f73635a5-dbf9-642d-c384-510000000000}0x5184c32HighMD5=EE5892A6168658FF9C7784FF94346AA2,SHA256=0E8606BA02828D403E321E37F1568AA321A95D3BDBDB83B73583105B666D79BA,IMPHASH=F150A94E73644B4EE8C4FF24DFEA3216{f73635a5-12f1-642f-0a1f-000000004b02}644C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\Administrator 1704400x8000000000000016365Applicationar-win-dc.attackrange.local 4634001254500x8020000000000000170497Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aacb33 4634001254500x8020000000000000170496Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aad063 4627001255400x8020000000000000170495Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29aad94311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170494Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29aad943KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-fe80::ccd8:364c:b6d:dab259202%%1840---%%18430x0%%1842 4672001254800x8020000000000000170493Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aad94SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000170492Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29aad06311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170491Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29aad063KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-10.0.1.1459201%%1833---%%18430x0%%1842 4672001254800x8020000000000000170490Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aad06SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000170489Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29aacb3311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170488Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29aacb33KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000170487Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aacb3SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000170486Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29aabb6311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170485Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29aabb63KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-fe80::ccd8:364c:b6d:dab259200%%1833---%%18430x0%%1842 4672001254800x8020000000000000170484Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aabb6SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000170483Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29aab12311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170482Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29aab123KerberosKerberos-{bfdda50e-983b-3884-6fdf-4af947b7bba9}--00x0-fe80::ccd8:364c:b6d:dab259199%%1833---%%18430x0%%1842 4672001254800x8020000000000000170481Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29aab12SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4673001305600x8010000000000000170480Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x358C:\Windows\System32\svchost.exe 154100x800000000000000055586Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:44:01.674{f73635a5-12f1-642f-0a1f-000000004b02}644C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{f73635a5-dbf9-642d-c384-510000000000}0x5184c32HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{f73635a5-dbfa-642d-5d04-000000004b02}3868C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECKATTACKRANGE\Administrator 4673001305600x8010000000000000170479Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170478Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170477Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170476Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170475Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170474Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170473Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170472Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170471Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170470Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170469Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170468Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170467Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170466Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170465Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170464Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170463Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170462Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170461Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170460Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170459Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170458Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170457Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170456Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170455Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170454Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170453Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170452Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170451Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170450Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170449Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170448Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170447Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170446Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170445Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170444Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170443Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170442Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170441Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170440Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170439Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170438Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170437Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170436Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170435Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170434Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170433Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170432Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170431Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170430Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170429Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170428Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170427Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170426Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170425Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170424Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170423Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170422Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 4673001305600x8010000000000000170421Securityar-win-dc.attackrange.localATTACKRANGE\AdministratorAdministratorATTACKRANGE0x5184c3Security-SeTcbPrivilege0x16f4C:\Windows\System32\RuntimeBroker.exe 154100x800000000000000053776Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:43:55.550{F02F376E-12EB-642F-111E-00000000D802}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402407Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x36cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053775Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:43:54.783{F02F376E-12EA-642F-101E-00000000D802}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- 154100x800000000000000053774Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:43:54.030{F02F376E-12EA-642F-0F1E-00000000D802}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402406Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000402405Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE9EFF0000","EventID":"5","Execution_ProcessID":"2920","Execution_ThreadID":"3596","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE9EFF0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:45:49.3802709Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:45:49Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2892","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.5833056Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2892","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.582545Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} {"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFEA5D10000","EventID":"5","Execution_ProcessID":"2284","Execution_ThreadID":"2804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFEA5D10000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2284","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:44:49.3635862Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:44:49Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:43:49.5758337Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:43:50Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:43:49.574808Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-04-06T18:43:50Z"} 154100x800000000000000053773Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:43:50.020{F02F376E-12E6-642F-0E1E-00000000D802}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1892--- 7300x8000000000000051121Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96740000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96740000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:43:49.5758337Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:43:50Z"} 7300x8000000000000051120Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFE96960000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFE96960000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:43:49.574808Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:43:50Z"} 4688201331200x8020000000000000402404Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe58C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000053772Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-04-06 18:43:49.257{F02F376E-12E5-642F-0D1E-00000000D802}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-B37A-642D-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1892--- 4688201331200x8020000000000000402403Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x764"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000051119Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFEA2220000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"548","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFEA2220000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2430-g76554297a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-04-06T18:43:49.3522526Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-04-06T18:43:49Z"} 4634001254500x8020000000000000170420Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29a310c3 4627001255400x8020000000000000170419Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x29a310c311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-537851375-1300420925-1735565775-4082} ATTACKRANGE\FE-bresneide-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-3925} ATTACKRANGE\Domain Controllers %{S-1-5-21-537851375-1300420925-1735565775-3651} ATTACKRANGE\BA-01w-admingroup1 %{S-1-5-21-537851375-1300420925-1735565775-4080} ATTACKRANGE\MA-666-distlist1 %{S-1-5-21-537851375-1300420925-1735565775-4013} ATTACKRANGE\JA-dia-distlist1 %{S-1-5-9} %{S-1-18-1} ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000170418Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x29a310c3KerberosKerberos-{f5b8e1b7-7cc8-708a-216a-0546bbb967ba}--00x0-::159197%%1833---%%18430x0%%1842 4672001254800x8020000000000000170417Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x29a310cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000055585Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:43:10.618{f73635a5-12be-642f-091f-000000004b02}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055584Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:43:09.844{f73635a5-12bd-642f-081f-000000004b02}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055583Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:43:09.227{f73635a5-12bd-642f-071f-000000004b02}6668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055582Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:43:08.479{f73635a5-12bc-642f-061f-000000004b02}4244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3144--- 154100x800000000000000055581Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-04-06 18:43:06.386{f73635a5-12ba-642f-051f-000000004b02}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-b379-642d-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3144---