410515102150x0708687Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708686Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8546d2d8-2f8d-4ed8-a187-4bce2b2e5d9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708685Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708684Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708683Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local8546d2d8-2f8d-4ed8-a187-4bce2b2e5d9b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708682Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt8546d2d8-2f8d-4ed8-a187-4bce2b2e5d9b 410615103150x0708681Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708680Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708679Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5d894f0b-05c1-4f91-a569-b1c7a633317a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4726001382400x8020000000000000279283Securityar-win-dc.attackrange.localLYNN_WOLFATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2445ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279282Securityar-win-dc.attackrange.localJODY_MENDOZAATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2338ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279281Securityar-win-dc.attackrange.localJAKE_COCHRANATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2817ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279280Securityar-win-dc.attackrange.localHERMAN_TODDATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1585ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279279Securityar-win-dc.attackrange.localMELVA_DURHAMATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2170ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279278Securityar-win-dc.attackrange.localRUFUS_BLANCHARDATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3506ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279277Securityar-win-dc.attackrange.localVICKI_OWENATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2169ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279276Securityar-win-dc.attackrange.localELVIA_MCLEODATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2895ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279275Securityar-win-dc.attackrange.localSAMUEL_CASTANEDAATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1630ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279274Securityar-win-dc.attackrange.localJERROLD_WADEATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1308ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 02/21/2024 19:38:47.476 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LYNN_WOLF DEL:e6c047f1-bb06-456e-9423-c7797290577b distinguishedName=CN=LYNN_WOLF\0ADEL:e6c047f1-bb06-456e-9423-c7797290577b,CN=Deleted Objects,DC=attackrange,DC=local cn=LYNN_WOLF DEL:e6c047f1-bb06-456e-9423-c7797290577b Object Details: sAMAccountName=LYNN_WOLF objectSid=S-1-5-21-2851375338-1978525053-2422663219-2445 userAccountControl=512 objectGUID=e6c047f1-bb06-456e-9423-c7797290577b whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:54.18 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82163 uSNCreated=26308 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=OGC,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.430 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=JODY_MENDOZA DEL:aa14563e-4e44-4a57-950c-926e82dc88f4 distinguishedName=CN=JODY_MENDOZA\0ADEL:aa14563e-4e44-4a57-950c-926e82dc88f4,CN=Deleted Objects,DC=attackrange,DC=local cn=JODY_MENDOZA DEL:aa14563e-4e44-4a57-950c-926e82dc88f4 Object Details: sAMAccountName=JODY_MENDOZA objectSid=S-1-5-21-2851375338-1978525053-2422663219-2338 userAccountControl=4194816 objectGUID=aa14563e-4e44-4a57-950c-926e82dc88f4 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:53.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82162 uSNCreated=25555 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=AZR,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.398 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=JAKE_COCHRAN DEL:eda6ddb6-ab1b-4aa3-a937-e9fdd2f90c0b distinguishedName=CN=JAKE_COCHRAN\0ADEL:eda6ddb6-ab1b-4aa3-a937-e9fdd2f90c0b,CN=Deleted Objects,DC=attackrange,DC=local cn=JAKE_COCHRAN DEL:eda6ddb6-ab1b-4aa3-a937-e9fdd2f90c0b Object Details: sAMAccountName=JAKE_COCHRAN objectSid=S-1-5-21-2851375338-1978525053-2422663219-2817 userAccountControl=512 objectGUID=eda6ddb6-ab1b-4aa3-a937-e9fdd2f90c0b whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:55.34 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82161 uSNCreated=28921 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=BDE,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.353 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=HERMAN_TODD DEL:9fb6f1f7-9acf-43ce-856e-5cd763d4a89e distinguishedName=CN=HERMAN_TODD\0ADEL:9fb6f1f7-9acf-43ce-856e-5cd763d4a89e,CN=Deleted Objects,DC=attackrange,DC=local cn=HERMAN_TODD DEL:9fb6f1f7-9acf-43ce-856e-5cd763d4a89e Object Details: sAMAccountName=HERMAN_TODD objectSid=S-1-5-21-2851375338-1978525053-2422663219-1585 userAccountControl=512 objectGUID=9fb6f1f7-9acf-43ce-856e-5cd763d4a89e whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:51.06 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82160 uSNCreated=20264 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.305 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=MELVA_DURHAM DEL:68dae8dd-d97f-4983-b7d4-d2887b33ec82 distinguishedName=CN=MELVA_DURHAM\0ADEL:68dae8dd-d97f-4983-b7d4-d2887b33ec82,CN=Deleted Objects,DC=attackrange,DC=local cn=MELVA_DURHAM DEL:68dae8dd-d97f-4983-b7d4-d2887b33ec82 Object Details: sAMAccountName=MELVA_DURHAM objectSid=S-1-5-21-2851375338-1978525053-2422663219-2170 userAccountControl=512 objectGUID=68dae8dd-d97f-4983-b7d4-d2887b33ec82 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:53.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82159 uSNCreated=24376 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=.SecFrame.com,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.258 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=RUFUS_BLANCHARD DEL:5f203689-4359-43b3-96cb-4ab4694bd094 distinguishedName=CN=RUFUS_BLANCHARD\0ADEL:5f203689-4359-43b3-96cb-4ab4694bd094,CN=Deleted Objects,DC=attackrange,DC=local cn=RUFUS_BLANCHARD DEL:5f203689-4359-43b3-96cb-4ab4694bd094 Object Details: sAMAccountName=RUFUS_BLANCHARD objectSid=S-1-5-21-2851375338-1978525053-2422663219-3506 userAccountControl=512 objectGUID=5f203689-4359-43b3-96cb-4ab4694bd094 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:57.52 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82158 uSNCreated=33766 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=OGC,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.226 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=VICKI_OWEN DEL:6d13cbe2-a8ce-4c5c-a465-e73319e04529 distinguishedName=CN=VICKI_OWEN\0ADEL:6d13cbe2-a8ce-4c5c-a465-e73319e04529,CN=Deleted Objects,DC=attackrange,DC=local cn=VICKI_OWEN DEL:6d13cbe2-a8ce-4c5c-a465-e73319e04529 Object Details: sAMAccountName=VICKI_OWEN objectSid=S-1-5-21-2851375338-1978525053-2422663219-2169 userAccountControl=512 objectGUID=6d13cbe2-a8ce-4c5c-a465-e73319e04529 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:53.17 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82157 uSNCreated=24369 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.195 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=ELVIA_MCLEOD DEL:0273afc8-23db-46fe-b567-f69effe65538 distinguishedName=CN=ELVIA_MCLEOD\0ADEL:0273afc8-23db-46fe-b567-f69effe65538,CN=Deleted Objects,DC=attackrange,DC=local cn=ELVIA_MCLEOD DEL:0273afc8-23db-46fe-b567-f69effe65538 Object Details: sAMAccountName=ELVIA_MCLEOD objectSid=S-1-5-21-2851375338-1978525053-2422663219-2895 userAccountControl=512 objectGUID=0273afc8-23db-46fe-b567-f69effe65538 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:55.52 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82156 uSNCreated=29470 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.164 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=SAMUEL_CASTANEDA DEL:206c657d-d259-4f13-8a40-fe3b267277e0 distinguishedName=CN=SAMUEL_CASTANEDA\0ADEL:206c657d-d259-4f13-8a40-fe3b267277e0,CN=Deleted Objects,DC=attackrange,DC=local cn=SAMUEL_CASTANEDA DEL:206c657d-d259-4f13-8a40-fe3b267277e0 Object Details: sAMAccountName=SAMUEL_CASTANEDA objectSid=S-1-5-21-2851375338-1978525053-2422663219-1630 userAccountControl=512 objectGUID=206c657d-d259-4f13-8a40-fe3b267277e0 whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:51.16 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82155 uSNCreated=20580 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=FSR,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:47.117 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=JERROLD_WADE DEL:1032ef19-e549-4a7d-8776-46c45fffaffb distinguishedName=CN=JERROLD_WADE\0ADEL:1032ef19-e549-4a7d-8776-46c45fffaffb,CN=Deleted Objects,DC=attackrange,DC=local cn=JERROLD_WADE DEL:1032ef19-e549-4a7d-8776-46c45fffaffb Object Details: sAMAccountName=JERROLD_WADE objectSid=S-1-5-21-2851375338-1978525053-2422663219-1308 userAccountControl=512 objectGUID=1032ef19-e549-4a7d-8776-46c45fffaffb whenChanged=07:38.47 PM, Wed 02/21/2024 whenCreated=09:49.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82154 uSNCreated=18316 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=AZR,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 410615103150x0708678Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708677Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708676Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local5d894f0b-05c1-4f91-a569-b1c7a633317a2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708675Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter * -Properties Enabled | Get-Random -Count 10 # Loop through each user and delete the account foreach ($user in $randomUsers) { try { Remove-ADUser -Identity $user.SamAccountName -Confirm:$false Write-Host "User account deleted: $($user.SamAccountName)" } catch { Write-Host "Failed to delete user account: $($user.SamAccountName)" } } # Output the users whose accounts were deleted Write-Host "Deleted accounts for the following users:" $randomUsers | Select-Object SamAccountName 5d894f0b-05c1-4f91-a569-b1c7a633317a 410615103150x0708674Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708673Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708672Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbc2ea071-e940-484d-82f0-7385ceeb333b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708671Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708670Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708669Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbc2ea071-e940-484d-82f0-7385ceeb333b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708668Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptbc2ea071-e940-484d-82f0-7385ceeb333b 410615103150x0708667Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708666Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708665Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4e05e32b-c1a4-47a4-a01a-35c3f34f6b712b535b4c-a403-4565-9d75-b1fc8c18a9ac 4726001382400x8020000000000000279273Securityar-win-dc.attackrange.localSTEFAN_KENTATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2982ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279272Securityar-win-dc.attackrange.localAVIS_YORKATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2306ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279271Securityar-win-dc.attackrange.localHARRIET_PERRYATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2492ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279270Securityar-win-dc.attackrange.localBENNIE_GAINESATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1855ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279269Securityar-win-dc.attackrange.localALFRED_RAYMONDATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2528ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279268Securityar-win-dc.attackrange.localLELIA_VALENZUELAATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2233ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279267Securityar-win-dc.attackrange.localVILMA_MANNATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2834ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279266Securityar-win-dc.attackrange.localPATRICIA_BLEVINSATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2928ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279265Securityar-win-dc.attackrange.localKAREEM_PENNINGTONATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2762ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279264Securityar-win-dc.attackrange.localSANDY_BERGATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1345ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 02/21/2024 19:38:44.834 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=STEFAN_KENT DEL:06e1b49a-e637-4d6a-adc3-d9ccd6e1a1f8 distinguishedName=CN=STEFAN_KENT\0ADEL:06e1b49a-e637-4d6a-adc3-d9ccd6e1a1f8,CN=Deleted Objects,DC=attackrange,DC=local cn=STEFAN_KENT DEL:06e1b49a-e637-4d6a-adc3-d9ccd6e1a1f8 Object Details: sAMAccountName=STEFAN_KENT objectSid=S-1-5-21-2851375338-1978525053-2422663219-2982 userAccountControl=512 objectGUID=06e1b49a-e637-4d6a-adc3-d9ccd6e1a1f8 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:56.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82153 uSNCreated=30081 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=OGC,OU=People,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.802 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=AVIS_YORK DEL:f5955d52-85d3-46c0-bb93-8d980b819790 distinguishedName=CN=AVIS_YORK\0ADEL:f5955d52-85d3-46c0-bb93-8d980b819790,CN=Deleted Objects,DC=attackrange,DC=local cn=AVIS_YORK DEL:f5955d52-85d3-46c0-bb93-8d980b819790 Object Details: sAMAccountName=AVIS_YORK objectSid=S-1-5-21-2851375338-1978525053-2422663219-2306 userAccountControl=512 objectGUID=f5955d52-85d3-46c0-bb93-8d980b819790 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:53.47 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82152 uSNCreated=25331 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=FSR,OU=People,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.771 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=HARRIET_PERRY DEL:7a55c9bd-69a1-4d28-a9dd-202841b1c0b5 distinguishedName=CN=HARRIET_PERRY\0ADEL:7a55c9bd-69a1-4d28-a9dd-202841b1c0b5,CN=Deleted Objects,DC=attackrange,DC=local cn=HARRIET_PERRY DEL:7a55c9bd-69a1-4d28-a9dd-202841b1c0b5 Object Details: sAMAccountName=HARRIET_PERRY objectSid=S-1-5-21-2851375338-1978525053-2422663219-2492 userAccountControl=4194816 objectGUID=7a55c9bd-69a1-4d28-a9dd-202841b1c0b5 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:54.27 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82151 uSNCreated=26639 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.708 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=BENNIE_GAINES DEL:153f157f-0536-4188-b508-0f7338e08fa1 distinguishedName=CN=BENNIE_GAINES\0ADEL:153f157f-0536-4188-b508-0f7338e08fa1,CN=Deleted Objects,DC=attackrange,DC=local cn=BENNIE_GAINES DEL:153f157f-0536-4188-b508-0f7338e08fa1 Object Details: sAMAccountName=BENNIE_GAINES objectSid=S-1-5-21-2851375338-1978525053-2422663219-1855 userAccountControl=512 objectGUID=153f157f-0536-4188-b508-0f7338e08fa1 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:52.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82150 uSNCreated=22163 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=SEC,OU=People,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.648 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=ALFRED_RAYMOND DEL:f18d2568-7cc1-48fd-b6aa-fba660106e92 distinguishedName=CN=ALFRED_RAYMOND\0ADEL:f18d2568-7cc1-48fd-b6aa-fba660106e92,CN=Deleted Objects,DC=attackrange,DC=local cn=ALFRED_RAYMOND DEL:f18d2568-7cc1-48fd-b6aa-fba660106e92 Object Details: sAMAccountName=ALFRED_RAYMOND objectSid=S-1-5-21-2851375338-1978525053-2422663219-2528 userAccountControl=512 objectGUID=f18d2568-7cc1-48fd-b6aa-fba660106e92 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:54.36 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82149 uSNCreated=26893 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=TST,OU=People,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.598 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LELIA_VALENZUELA DEL:71669341-347a-45e0-98c5-92dd00a83064 distinguishedName=CN=LELIA_VALENZUELA\0ADEL:71669341-347a-45e0-98c5-92dd00a83064,CN=Deleted Objects,DC=attackrange,DC=local cn=LELIA_VALENZUELA DEL:71669341-347a-45e0-98c5-92dd00a83064 Object Details: sAMAccountName=LELIA_VALENZUELA objectSid=S-1-5-21-2851375338-1978525053-2422663219-2233 userAccountControl=512 objectGUID=71669341-347a-45e0-98c5-92dd00a83064 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:53.31 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82148 uSNCreated=24819 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.567 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=VILMA_MANN DEL:78712457-9fc3-4780-a3f1-f5e5a97a7d56 distinguishedName=CN=VILMA_MANN\0ADEL:78712457-9fc3-4780-a3f1-f5e5a97a7d56,CN=Deleted Objects,DC=attackrange,DC=local cn=VILMA_MANN DEL:78712457-9fc3-4780-a3f1-f5e5a97a7d56 Object Details: sAMAccountName=VILMA_MANN objectSid=S-1-5-21-2851375338-1978525053-2422663219-2834 userAccountControl=512 objectGUID=78712457-9fc3-4780-a3f1-f5e5a97a7d56 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:55.38 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82147 uSNCreated=29040 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.536 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=PATRICIA_BLEVINS DEL:2c118894-cb45-4ae9-9426-8466ed81038f distinguishedName=CN=PATRICIA_BLEVINS\0ADEL:2c118894-cb45-4ae9-9426-8466ed81038f,CN=Deleted Objects,DC=attackrange,DC=local cn=PATRICIA_BLEVINS DEL:2c118894-cb45-4ae9-9426-8466ed81038f Object Details: sAMAccountName=PATRICIA_BLEVINS objectSid=S-1-5-21-2851375338-1978525053-2422663219-2928 userAccountControl=512 objectGUID=2c118894-cb45-4ae9-9426-8466ed81038f whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:55.59 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82146 uSNCreated=29701 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.489 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=KAREEM_PENNINGTON DEL:9aa5cac4-cce4-454b-9134-57b3564f9e8f distinguishedName=CN=KAREEM_PENNINGTON\0ADEL:9aa5cac4-cce4-454b-9134-57b3564f9e8f,CN=Deleted Objects,DC=attackrange,DC=local cn=KAREEM_PENNINGTON DEL:9aa5cac4-cce4-454b-9134-57b3564f9e8f Object Details: sAMAccountName=KAREEM_PENNINGTON objectSid=S-1-5-21-2851375338-1978525053-2422663219-2762 userAccountControl=512 objectGUID=9aa5cac4-cce4-454b-9134-57b3564f9e8f whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:55.23 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82145 uSNCreated=28532 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=ITS,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:44.379 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=SANDY_BERG DEL:484fd0ee-1a58-428b-be1e-c2ddc002daf7 distinguishedName=CN=SANDY_BERG\0ADEL:484fd0ee-1a58-428b-be1e-c2ddc002daf7,CN=Deleted Objects,DC=attackrange,DC=local cn=SANDY_BERG DEL:484fd0ee-1a58-428b-be1e-c2ddc002daf7 Object Details: sAMAccountName=SANDY_BERG objectSid=S-1-5-21-2851375338-1978525053-2422663219-1345 userAccountControl=512 objectGUID=484fd0ee-1a58-428b-be1e-c2ddc002daf7 whenChanged=07:38.44 PM, Wed 02/21/2024 whenCreated=09:50.06 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82144 uSNCreated=18576 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 410615103150x0708664Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708663Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708662Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local4e05e32b-c1a4-47a4-a01a-35c3f34f6b712b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708661Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter * -Properties Enabled | Get-Random -Count 10 # Loop through each user and delete the account foreach ($user in $randomUsers) { try { Remove-ADUser -Identity $user.SamAccountName -Confirm:$false Write-Host "User account deleted: $($user.SamAccountName)" } catch { Write-Host "Failed to delete user account: $($user.SamAccountName)" } } # Output the users whose accounts were deleted Write-Host "Deleted accounts for the following users:" $randomUsers | Select-Object SamAccountName 4e05e32b-c1a4-47a4-a01a-35c3f34f6b71 410615103150x0708660Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708659Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708658Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local31109dfb-c8c5-4f59-9335-f5eafffa8d012b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708657Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708656Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708655Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local31109dfb-c8c5-4f59-9335-f5eafffa8d012b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708654Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt31109dfb-c8c5-4f59-9335-f5eafffa8d01 410615103150x0708653Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708652Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708651Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local293c3cb8-cb2c-42e7-a1aa-0acec519fc3c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4726001382400x8020000000000000279263Securityar-win-dc.attackrange.localRON_BUTLERATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2049ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279262Securityar-win-dc.attackrange.localSTELLA_VALENCIAATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3490ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279261Securityar-win-dc.attackrange.localMAUDE_HARVEYATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2664ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279260Securityar-win-dc.attackrange.localKATIE_CONRADATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1243ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279259Securityar-win-dc.attackrange.localBLANCHE_RODRIQUEZATTACKRANGEATTACKRANGE\BLANCHE_RODRIQUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279258Securityar-win-dc.attackrange.localDAISY_SANTIAGOATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2923ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279257Securityar-win-dc.attackrange.localTAMMIE_SARGENTATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2838ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279256Securityar-win-dc.attackrange.localLON_STEVENSATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3066ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 02/21/2024 19:38:42.410 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=RON_BUTLER DEL:088d5c7c-d6c6-4bf7-9b47-14e5a8bc306e distinguishedName=CN=RON_BUTLER\0ADEL:088d5c7c-d6c6-4bf7-9b47-14e5a8bc306e,CN=Deleted Objects,DC=attackrange,DC=local cn=RON_BUTLER DEL:088d5c7c-d6c6-4bf7-9b47-14e5a8bc306e Object Details: sAMAccountName=RON_BUTLER objectSid=S-1-5-21-2851375338-1978525053-2422663219-2049 userAccountControl=512 objectGUID=088d5c7c-d6c6-4bf7-9b47-14e5a8bc306e whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:52.50 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82143 uSNCreated=23527 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Admin,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.346 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=STELLA_VALENCIA DEL:64c8d830-39de-49de-a6de-11f5235dcd9a distinguishedName=CN=STELLA_VALENCIA\0ADEL:64c8d830-39de-49de-a6de-11f5235dcd9a,CN=Deleted Objects,DC=attackrange,DC=local cn=STELLA_VALENCIA DEL:64c8d830-39de-49de-a6de-11f5235dcd9a Object Details: sAMAccountName=STELLA_VALENCIA objectSid=S-1-5-21-2851375338-1978525053-2422663219-3490 userAccountControl=512 objectGUID=64c8d830-39de-49de-a6de-11f5235dcd9a whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:57.49 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82142 uSNCreated=33653 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=GOO,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.300 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=MAUDE_HARVEY DEL:e84ba3ad-70c8-4411-b1ea-94b61b15ec96 distinguishedName=CN=MAUDE_HARVEY\0ADEL:e84ba3ad-70c8-4411-b1ea-94b61b15ec96,CN=Deleted Objects,DC=attackrange,DC=local cn=MAUDE_HARVEY DEL:e84ba3ad-70c8-4411-b1ea-94b61b15ec96 Object Details: sAMAccountName=MAUDE_HARVEY objectSid=S-1-5-21-2851375338-1978525053-2422663219-2664 userAccountControl=512 objectGUID=e84ba3ad-70c8-4411-b1ea-94b61b15ec96 whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:55.03 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82141 uSNCreated=27846 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=AWS,OU=People,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.253 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=KATIE_CONRAD DEL:2500d487-fac1-4c2f-bbd6-d9e2216d97a6 distinguishedName=CN=KATIE_CONRAD\0ADEL:2500d487-fac1-4c2f-bbd6-d9e2216d97a6,CN=Deleted Objects,DC=attackrange,DC=local cn=KATIE_CONRAD DEL:2500d487-fac1-4c2f-bbd6-d9e2216d97a6 Object Details: sAMAccountName=KATIE_CONRAD objectSid=S-1-5-21-2851375338-1978525053-2422663219-1243 userAccountControl=512 objectGUID=2500d487-fac1-4c2f-bbd6-d9e2216d97a6 whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:49.41 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82140 uSNCreated=17858 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.221 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=BLANCHE_RODRIQUEZ DEL:28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79 distinguishedName=CN=BLANCHE_RODRIQUEZ\0ADEL:28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79,CN=Deleted Objects,DC=attackrange,DC=local cn=BLANCHE_RODRIQUEZ DEL:28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79 Object Details: sAMAccountName=BLANCHE_RODRIQUEZ objectSid=S-1-5-21-2851375338-1978525053-2422663219-2904 userAccountControl=514 objectGUID=28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79 whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:55.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82139 uSNCreated=29533 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Test,OU=ITS,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.159 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=DAISY_SANTIAGO DEL:0f84af68-1b02-471f-9a7b-d149d3a8842f distinguishedName=CN=DAISY_SANTIAGO\0ADEL:0f84af68-1b02-471f-9a7b-d149d3a8842f,CN=Deleted Objects,DC=attackrange,DC=local cn=DAISY_SANTIAGO DEL:0f84af68-1b02-471f-9a7b-d149d3a8842f Object Details: sAMAccountName=DAISY_SANTIAGO objectSid=S-1-5-21-2851375338-1978525053-2422663219-2923 userAccountControl=512 objectGUID=0f84af68-1b02-471f-9a7b-d149d3a8842f whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:55.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82138 uSNCreated=29666 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.097 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=TAMMIE_SARGENT DEL:8ecba012-3144-41e8-9846-4a6a9e41c3a1 distinguishedName=CN=TAMMIE_SARGENT\0ADEL:8ecba012-3144-41e8-9846-4a6a9e41c3a1,CN=Deleted Objects,DC=attackrange,DC=local cn=TAMMIE_SARGENT DEL:8ecba012-3144-41e8-9846-4a6a9e41c3a1 Object Details: sAMAccountName=TAMMIE_SARGENT objectSid=S-1-5-21-2851375338-1978525053-2422663219-2838 userAccountControl=512 objectGUID=8ecba012-3144-41e8-9846-4a6a9e41c3a1 whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:55.39 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82137 uSNCreated=29068 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=SEC,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:42.049 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LON_STEVENS DEL:9d875990-cb57-460a-88c6-46359f717f8f distinguishedName=CN=LON_STEVENS\0ADEL:9d875990-cb57-460a-88c6-46359f717f8f,CN=Deleted Objects,DC=attackrange,DC=local cn=LON_STEVENS DEL:9d875990-cb57-460a-88c6-46359f717f8f Object Details: sAMAccountName=LON_STEVENS objectSid=S-1-5-21-2851375338-1978525053-2422663219-3066 userAccountControl=512 objectGUID=9d875990-cb57-460a-88c6-46359f717f8f whenChanged=07:38.42 PM, Wed 02/21/2024 whenCreated=09:56.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82136 uSNCreated=30672 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Test,OU=HRE,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 4726001382400x8020000000000000279255Securityar-win-dc.attackrange.localMERCEDES_CHANDLERATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2257ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279254Securityar-win-dc.attackrange.localELVIN_MORRISONATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2009ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 02/21/2024 19:38:41.987 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=MERCEDES_CHANDLER DEL:bd401c38-8d7e-450f-894b-b55c30c8579a distinguishedName=CN=MERCEDES_CHANDLER\0ADEL:bd401c38-8d7e-450f-894b-b55c30c8579a,CN=Deleted Objects,DC=attackrange,DC=local cn=MERCEDES_CHANDLER DEL:bd401c38-8d7e-450f-894b-b55c30c8579a Object Details: sAMAccountName=MERCEDES_CHANDLER objectSid=S-1-5-21-2851375338-1978525053-2422663219-2257 userAccountControl=512 objectGUID=bd401c38-8d7e-450f-894b-b55c30c8579a whenChanged=07:38.41 PM, Wed 02/21/2024 whenCreated=09:53.36 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82135 uSNCreated=24988 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=AWS,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:41.923 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=ELVIN_MORRISON DEL:ffb15af6-9f67-45b5-8c30-2a1113d547c0 distinguishedName=CN=ELVIN_MORRISON\0ADEL:ffb15af6-9f67-45b5-8c30-2a1113d547c0,CN=Deleted Objects,DC=attackrange,DC=local cn=ELVIN_MORRISON DEL:ffb15af6-9f67-45b5-8c30-2a1113d547c0 Object Details: sAMAccountName=ELVIN_MORRISON objectSid=S-1-5-21-2851375338-1978525053-2422663219-2009 userAccountControl=512 objectGUID=ffb15af6-9f67-45b5-8c30-2a1113d547c0 whenChanged=07:38.41 PM, Wed 02/21/2024 whenCreated=09:52.41 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82134 uSNCreated=23246 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=T0-Roles,OU=Tier 0,OU=Admin,DC=attackrange,DC=local isDeleted=TRUE 410615103150x0708650Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708649Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708648Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local293c3cb8-cb2c-42e7-a1aa-0acec519fc3c2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708647Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter * -Properties Enabled | Get-Random -Count 10 # Loop through each user and delete the account foreach ($user in $randomUsers) { try { Remove-ADUser -Identity $user.SamAccountName -Confirm:$false Write-Host "User account deleted: $($user.SamAccountName)" } catch { Write-Host "Failed to delete user account: $($user.SamAccountName)" } } # Output the users whose accounts were deleted Write-Host "Deleted accounts for the following users:" $randomUsers | Select-Object SamAccountName 293c3cb8-cb2c-42e7-a1aa-0acec519fc3c 410615103150x0708646Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708645Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708644Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1e20dd0c-a45e-4156-8201-748c43f866e72b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708643Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708642Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708641Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local1e20dd0c-a45e-4156-8201-748c43f866e72b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708640Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt1e20dd0c-a45e-4156-8201-748c43f866e7 410615103150x0708639Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708638Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708637Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local08869708-cd9f-462f-a1d7-c5ca74d922d42b535b4c-a403-4565-9d75-b1fc8c18a9ac 4726001382400x8020000000000000279253Securityar-win-dc.attackrange.localNATALIE_SLATERATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1181ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279252Securityar-win-dc.attackrange.localLEILA_SWANSONATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2953ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279251Securityar-win-dc.attackrange.localTOM_MCKENZIEATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-1792ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279250Securityar-win-dc.attackrange.localOLIVIA_ANDREWSATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2218ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279249Securityar-win-dc.attackrange.localLYDIA_RUSSOATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2336ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279248Securityar-win-dc.attackrange.localESSIE_SALINASATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2134ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279247Securityar-win-dc.attackrange.localRILEY_OWENATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3098ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279246Securityar-win-dc.attackrange.localLEE_OWENATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-2955ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 4726001382400x8020000000000000279245Securityar-win-dc.attackrange.localKRISTEN_MCGEEATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3286ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 5140101280800x8020000000000000279244Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x353ceeFilefe80::2c4d:3504:6979:e6f249549\\*\SYSVOL\??\C:\Windows\SYSVOL\sysvol0x1%%4416 4627001255400x8020000000000000279243Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x353cee311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000279242Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x353cee3KerberosKerberos-{bf77338b-1ba9-4b3c-442e-31e2b3bbd0d6}--00x0-fe80::2c4d:3504:6979:e6f249549%%1840---%%18430x0%%1842 4672001254800x8020000000000000279241Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x353ceeSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4726001382400x8020000000000000279240Securityar-win-dc.attackrange.localBRIDGETTE_GARRETTATTACKRANGES-1-5-21-2851375338-1978525053-2422663219-3265ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1- 02/21/2024 19:38:39.499 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=NATALIE_SLATER DEL:d4ffca90-bc57-4143-91a9-5718e10bad0e distinguishedName=CN=NATALIE_SLATER\0ADEL:d4ffca90-bc57-4143-91a9-5718e10bad0e,CN=Deleted Objects,DC=attackrange,DC=local cn=NATALIE_SLATER DEL:d4ffca90-bc57-4143-91a9-5718e10bad0e Object Details: sAMAccountName=NATALIE_SLATER objectSid=S-1-5-21-2851375338-1978525053-2422663219-1181 userAccountControl=512 objectGUID=d4ffca90-bc57-4143-91a9-5718e10bad0e whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:49.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82133 uSNCreated=17423 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.437 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LEILA_SWANSON DEL:df268d41-1319-40f9-8c89-2b0c4d64c2ba distinguishedName=CN=LEILA_SWANSON\0ADEL:df268d41-1319-40f9-8c89-2b0c4d64c2ba,CN=Deleted Objects,DC=attackrange,DC=local cn=LEILA_SWANSON DEL:df268d41-1319-40f9-8c89-2b0c4d64c2ba Object Details: sAMAccountName=LEILA_SWANSON objectSid=S-1-5-21-2851375338-1978525053-2422663219-2953 userAccountControl=512 objectGUID=df268d41-1319-40f9-8c89-2b0c4d64c2ba whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:56.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82132 uSNCreated=29876 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.421 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=TOM_MCKENZIE DEL:07e62916-f5f2-4a7a-bf85-cade41526b38 distinguishedName=CN=TOM_MCKENZIE\0ADEL:07e62916-f5f2-4a7a-bf85-cade41526b38,CN=Deleted Objects,DC=attackrange,DC=local cn=TOM_MCKENZIE DEL:07e62916-f5f2-4a7a-bf85-cade41526b38 Object Details: sAMAccountName=TOM_MCKENZIE objectSid=S-1-5-21-2851375338-1978525053-2422663219-1792 userAccountControl=512 objectGUID=07e62916-f5f2-4a7a-bf85-cade41526b38 whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:51.49 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82131 uSNCreated=21720 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.359 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=OLIVIA_ANDREWS DEL:f465e25d-fd29-43be-a0f7-4743951d21bf distinguishedName=CN=OLIVIA_ANDREWS\0ADEL:f465e25d-fd29-43be-a0f7-4743951d21bf,CN=Deleted Objects,DC=attackrange,DC=local cn=OLIVIA_ANDREWS DEL:f465e25d-fd29-43be-a0f7-4743951d21bf Object Details: sAMAccountName=OLIVIA_ANDREWS objectSid=S-1-5-21-2851375338-1978525053-2422663219-2218 userAccountControl=512 objectGUID=f465e25d-fd29-43be-a0f7-4743951d21bf whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:53.28 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82130 uSNCreated=24713 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=AWS,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.327 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LYDIA_RUSSO DEL:9396c805-1c01-4b6f-9ea5-5f8a2d78587e distinguishedName=CN=LYDIA_RUSSO\0ADEL:9396c805-1c01-4b6f-9ea5-5f8a2d78587e,CN=Deleted Objects,DC=attackrange,DC=local cn=LYDIA_RUSSO DEL:9396c805-1c01-4b6f-9ea5-5f8a2d78587e Object Details: sAMAccountName=LYDIA_RUSSO objectSid=S-1-5-21-2851375338-1978525053-2422663219-2336 userAccountControl=512 objectGUID=9396c805-1c01-4b6f-9ea5-5f8a2d78587e whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:53.53 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82129 uSNCreated=25541 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Tier 2,OU=Admin,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.249 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=ESSIE_SALINAS DEL:1ad42e0d-7cc8-4701-a6cb-69f7adca8ad3 distinguishedName=CN=ESSIE_SALINAS\0ADEL:1ad42e0d-7cc8-4701-a6cb-69f7adca8ad3,CN=Deleted Objects,DC=attackrange,DC=local cn=ESSIE_SALINAS DEL:1ad42e0d-7cc8-4701-a6cb-69f7adca8ad3 Object Details: sAMAccountName=ESSIE_SALINAS objectSid=S-1-5-21-2851375338-1978525053-2422663219-2134 userAccountControl=512 objectGUID=1ad42e0d-7cc8-4701-a6cb-69f7adca8ad3 whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:53.09 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82128 uSNCreated=24123 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.187 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=RILEY_OWEN DEL:8658c536-e6a2-4a87-a42a-766affc4d1f5 distinguishedName=CN=RILEY_OWEN\0ADEL:8658c536-e6a2-4a87-a42a-766affc4d1f5,CN=Deleted Objects,DC=attackrange,DC=local cn=RILEY_OWEN DEL:8658c536-e6a2-4a87-a42a-766affc4d1f5 Object Details: sAMAccountName=RILEY_OWEN objectSid=S-1-5-21-2851375338-1978525053-2422663219-3098 userAccountControl=4194816 objectGUID=8658c536-e6a2-4a87-a42a-766affc4d1f5 whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:56.32 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82127 uSNCreated=30896 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.155 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=LEE_OWEN DEL:cefa4d75-89e2-4470-b8a0-fa345385f9d6 distinguishedName=CN=LEE_OWEN\0ADEL:cefa4d75-89e2-4470-b8a0-fa345385f9d6,CN=Deleted Objects,DC=attackrange,DC=local cn=LEE_OWEN DEL:cefa4d75-89e2-4470-b8a0-fa345385f9d6 Object Details: sAMAccountName=LEE_OWEN objectSid=S-1-5-21-2851375338-1978525053-2422663219-2955 userAccountControl=512 objectGUID=cefa4d75-89e2-4470-b8a0-fa345385f9d6 whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:56.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82126 uSNCreated=29890 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=ESM,OU=Tier 1,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.124 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=KRISTEN_MCGEE DEL:f952e959-30fc-4bb5-bdbb-27b96da724c4 distinguishedName=CN=KRISTEN_MCGEE\0ADEL:f952e959-30fc-4bb5-bdbb-27b96da724c4,CN=Deleted Objects,DC=attackrange,DC=local cn=KRISTEN_MCGEE DEL:f952e959-30fc-4bb5-bdbb-27b96da724c4 Object Details: sAMAccountName=KRISTEN_MCGEE objectSid=S-1-5-21-2851375338-1978525053-2422663219-3286 userAccountControl=512 objectGUID=f952e959-30fc-4bb5-bdbb-27b96da724c4 whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:57.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82125 uSNCreated=32216 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=Groups,OU=FIN,OU=Stage,DC=attackrange,DC=local isDeleted=TRUE 02/21/2024 19:38:39.062 dcName=ar-win-dc.attackrange.local admonEventType=Deleted Names: name=BRIDGETTE_GARRETT DEL:917a7609-22e2-437e-aa50-e97aab73384a distinguishedName=CN=BRIDGETTE_GARRETT\0ADEL:917a7609-22e2-437e-aa50-e97aab73384a,CN=Deleted Objects,DC=attackrange,DC=local cn=BRIDGETTE_GARRETT DEL:917a7609-22e2-437e-aa50-e97aab73384a Object Details: sAMAccountName=BRIDGETTE_GARRETT objectSid=S-1-5-21-2851375338-1978525053-2422663219-3265 userAccountControl=512 objectGUID=917a7609-22e2-437e-aa50-e97aab73384a whenChanged=07:38.39 PM, Wed 02/21/2024 whenCreated=09:57.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82124 uSNCreated=32069 instanceType=4 Additional Details: isRecycled=TRUE lastKnownParent=OU=ServiceAccounts,OU=ESM,OU=Tier 2,DC=attackrange,DC=local isDeleted=TRUE 410615103150x0708636Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708635Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708634Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local08869708-cd9f-462f-a1d7-c5ca74d922d42b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708633Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter * -Properties Enabled | Get-Random -Count 10 # Loop through each user and delete the account foreach ($user in $randomUsers) { try { Remove-ADUser -Identity $user.SamAccountName -Confirm:$false Write-Host "User account deleted: $($user.SamAccountName)" } catch { Write-Host "Failed to delete user account: $($user.SamAccountName)" } } # Output the users whose accounts were deleted Write-Host "Deleted accounts for the following users:" $randomUsers | Select-Object SamAccountName 08869708-cd9f-462f-a1d7-c5ca74d922d4 410615103150x0708632Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4634001254500x8020000000000000279239Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3533283 4627001255400x8020000000000000279238Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x353328311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000279237Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x3533283KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::149543%%1833---%%18430x0%%1842 4672001254800x8020000000000000279236Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x353328SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4689001331300x8020000000000000427777Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xddcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000043363Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:38:21.970{501DA29B-512D-65D6-C404-000000004903}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427776Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xddcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045639Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:38:21.174{0b642d80-512d-65d6-0f05-00000000be02}5964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279235Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x174cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000279234Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x174cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427775Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x5b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000427774Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x5b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043362Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:38:21.216{501DA29B-512D-65D6-C304-000000004903}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279233Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x8acC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000427773Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xd38C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000427772Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd38C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043361Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:38:20.473{501DA29B-512C-65D6-C204-000000004903}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000279232Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x8acC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045638Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:38:20.424{0b642d80-512c-65d6-0e05-00000000be02}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279231Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000279230Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd80C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045637Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:38:19.675{0b642d80-512b-65d6-0d05-00000000be02}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000043360Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:38:19.723{501DA29B-512B-65D6-C104-000000004903}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000427771Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1050C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000427770Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1050C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427769Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xe3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000045636Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:38:19.064{0b642d80-512b-65d6-0c05-00000000be02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279229Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xc48C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000279228Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xc48C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043359Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:38:18.948{501DA29B-512A-65D6-C004-000000004903}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427768Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe3cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045635Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:38:18.314{0b642d80-512a-65d6-0b05-00000000be02}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279227Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1518C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000279226Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1518C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045634Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:41.201{0b642d80-5105-65d6-0a05-00000000be02}1432C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 154100x800000000000000045633Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:41.068{0b642d80-5105-65d6-0905-00000000be02}5132C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Caption /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 4689001331300x8020000000000000279225Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x598C:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000279224Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x598C:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Version /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000279223Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x140cC:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000279222Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x140cC:\Windows\System32\wbem\WMIC.exe%%19360x108cwmic OS get Caption /format:listNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000279221Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x13b0C:\Windows\System32\wbem\WMIC.exe 154100x800000000000000045632Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:40.955{0b642d80-5104-65d6-0805-00000000be02}5040C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 154100x800000000000000045631Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:40.815{0b642d80-5104-65d6-0605-00000000be02}120C:\Windows\System32\wbem\WMIC.exe10.0.17763.1 (WinBuild.160101.0800)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueC:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E{0b642d80-29c2-65d6-6000-00000000be02}4236C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"NT AUTHORITY\SYSTEM 4688201331200x8020000000000000279220Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x13b0C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get Domain /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000279219Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x00x78C:\Windows\System32\wbem\WMIC.exe 4688201331200x8020000000000000279218Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd34C:\Windows\System32\wbem\WmiPrvSE.exe%%19360x35cC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingNULL SIDAR-WIN-DC$ATTACKRANGE0x3e4C:\Windows\System32\svchost.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000279217Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x78C:\Windows\System32\wbem\WMIC.exe%%19360x108cC:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /valueNULL SID--0x0C:\Program Files\Amazon\SSM\ssm-agent-worker.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427767Securityar-win-2.attackrange.localNT AUTHORITY\NETWORK SERVICEAR-WIN-2$ATTACKRANGE0x3e40x00xe58C:\Windows\System32\wbem\WmiPrvSE.exe 4634001254500x8020000000000000279216Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x34e93f3 4627001255400x8020000000000000279215Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x34e93f311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000279214Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x34e93f3KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::149533%%1833---%%18430x0%%1842 4672001254800x8020000000000000279213Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x34e93fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4689001331300x8020000000000000427766Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xbc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000043358Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:37:21.961{501DA29B-50F1-65D6-BF04-000000004903}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279212Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1accC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000045630Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:21.361{0b642d80-50f1-65d6-0505-00000000be02}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427765Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427764Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x650C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000427763Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x650C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000279211Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1accC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043357Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:37:21.206{501DA29B-50F1-65D6-BE04-000000004903}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279210Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x7a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000279209Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x7a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043356Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:37:20.457{501DA29B-50F0-65D6-BD04-000000004903}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000427762Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000427761Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045629Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:20.605{0b642d80-50f0-65d6-0405-00000000be02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279208Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1858C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000427760Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x13fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000045628Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:19.841{0b642d80-50ef-65d6-0305-00000000be02}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000279207Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1858C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000279206Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000427759Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x13fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427758Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000043355Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:37:19.697{501DA29B-50EF-65D6-BC04-000000004903}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000045627Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:19.082{0b642d80-50ef-65d6-0205-00000000be02}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000279205Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000427757Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043354Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:37:18.937{501DA29B-50EE-65D6-BB04-000000004903}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000045626Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:37:18.318{0b642d80-50ee-65d6-0105-00000000be02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000279204Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xb18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000279203Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xb18C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4673001305700x8010000000000000279202Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 4634001254500x8020000000000000279201Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE0x34be0c3 4673001305700x8010000000000000279200Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 4673001305700x8010000000000000279199Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe