4634001254500x8020000000000000278807Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cf023 4634001254500x8020000000000000278806Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30d08c3 4634001254500x8020000000000000278805Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30d0e13 4627001255400x8020000000000000278804Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30d0e1311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278803Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30d0e13KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-10.0.1.1449421%%1833---%%18430x0%%1842 4672001254800x8020000000000000278802Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30d0e1SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000278801Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30d08c311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278800Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30d08c3KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000278799Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30d08cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 5140101280800x8020000000000000278798Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cf9eFilefe80::2c4d:3504:6979:e6f249420\\*\SYSVOL\??\C:\Windows\SYSVOL\sysvol0x1%%4416 4627001255400x8020000000000000278797Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30cf9e311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278796Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30cf9e3KerberosKerberos-{a1f4a8ae-aabd-0197-ba17-fb20accbfc36}--00x0-fe80::2c4d:3504:6979:e6f249420%%1840---%%18430x0%%1842 4672001254800x8020000000000000278795Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cf9eSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000278794Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30cf02311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278793Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30cf023KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-fe80::2c4d:3504:6979:e6f249419%%1833---%%18430x0%%1842 4672001254800x8020000000000000278792Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cf02SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000278791Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30ced4311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278790Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30ced43KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-fe80::2c4d:3504:6979:e6f249418%%1833---%%18430x0%%1842 4672001254800x8020000000000000278789Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30ced4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000278788Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cb913 4627001255400x8020000000000000278787Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30cb91311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278786Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30cb913KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-fe80::2c4d:3504:6979:e6f249416%%1833---%%18430x0%%1842 4672001254800x8020000000000000278785Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cb91SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000278784Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cb0d3 4627001255400x8020000000000000278783Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30cb0d311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278782Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30cb0d3KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-fe80::2c4d:3504:6979:e6f249415%%1833---%%18430x0%%1842 4672001254800x8020000000000000278781Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30cb0dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000278780Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30c6f53 4627001255400x8020000000000000278779Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x30c6f5311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278778Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x30c6f53KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::149412%%1833---%%18430x0%%1842 4672001254800x8020000000000000278777Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x30c6f5SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000043254Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:20:21.709{501DA29B-4CF5-65D6-5604-000000004903}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000427557Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1374C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000427556Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1374C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427555Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xb7cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000045527Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:20:21.161{0b642d80-4cf5-65d6-a104-00000000be02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278776Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x19f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000278775Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x19f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000278774Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xbb8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 154100x800000000000000043253Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:20:20.949{501DA29B-4CF4-65D6-5504-000000004903}2940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000043252Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:20:20.200{501DA29B-4CF4-65D6-5404-000000004903}4124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427554Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb7cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427553Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x101cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000427552Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x101cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045526Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:20:20.395{0b642d80-4cf4-65d6-a004-00000000be02}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000278773Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbb8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 410515102150x0708631Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708630Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local826b3aaf-9d43-4011-be7e-5f0b4a8e64862b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708629Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708628Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708627Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local826b3aaf-9d43-4011-be7e-5f0b4a8e64862b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708626Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt826b3aaf-9d43-4011-be7e-5f0b4a8e6486 410615103150x0708625Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708624Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708623Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local9f0fd5cf-e34a-4de9-95d4-a7afd3b651ed2b535b4c-a403-4565-9d75-b1fc8c18a9ac 154100x800000000000000045525Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:20:19.644{0b642d80-4cf3-65d6-9f04-00000000be02}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278772Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x14dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4725001382400x8020000000000000278771Securityar-win-dc.attackrange.localWILFORD_SUTTONATTACKRANGEATTACKRANGE\WILFORD_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278770Securityar-win-dc.attackrange.local-WILFORD_SUTTONATTACKRANGEATTACKRANGE\WILFORD_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278769Securityar-win-dc.attackrange.localCAROL_HOWARDATTACKRANGEATTACKRANGE\CAROL_HOWARDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278768Securityar-win-dc.attackrange.local-CAROL_HOWARDATTACKRANGEATTACKRANGE\CAROL_HOWARDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278767Securityar-win-dc.attackrange.localBLANCHE_RODRIQUEZATTACKRANGEATTACKRANGE\BLANCHE_RODRIQUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278766Securityar-win-dc.attackrange.local-BLANCHE_RODRIQUEZATTACKRANGEATTACKRANGE\BLANCHE_RODRIQUEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4688201331200x8020000000000000278765Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x14dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4725001382400x8020000000000000278764Securityar-win-dc.attackrange.localBRENT_BLAIRATTACKRANGEATTACKRANGE\BRENT_BLAIRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278763Securityar-win-dc.attackrange.local-BRENT_BLAIRATTACKRANGEATTACKRANGE\BRENT_BLAIRATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100100x10011 %%2080--- 4725001382400x8020000000000000278762Securityar-win-dc.attackrange.localALDO_HYDEATTACKRANGEATTACKRANGE\ALDO_HYDEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278761Securityar-win-dc.attackrange.local-ALDO_HYDEATTACKRANGEATTACKRANGE\ALDO_HYDEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278760Securityar-win-dc.attackrange.local2160133923SAATTACKRANGEATTACKRANGE\2160133923SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278759Securityar-win-dc.attackrange.local-2160133923SAATTACKRANGEATTACKRANGE\2160133923SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100100x10011 %%2080--- 4725001382400x8020000000000000278758Securityar-win-dc.attackrange.localKERRY_LOPEZATTACKRANGEATTACKRANGE\KERRY_LOPEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278757Securityar-win-dc.attackrange.local-KERRY_LOPEZATTACKRANGEATTACKRANGE\KERRY_LOPEZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278756Securityar-win-dc.attackrange.localRACHEL_JOSEPHATTACKRANGEATTACKRANGE\RACHEL_JOSEPHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278755Securityar-win-dc.attackrange.local-RACHEL_JOSEPHATTACKRANGEATTACKRANGE\RACHEL_JOSEPHATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278754Securityar-win-dc.attackrange.localHERSCHEL_PARKSATTACKRANGEATTACKRANGE\HERSCHEL_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278753Securityar-win-dc.attackrange.local-HERSCHEL_PARKSATTACKRANGEATTACKRANGE\HERSCHEL_PARKSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278752Securityar-win-dc.attackrange.localLAUREL_GREENATTACKRANGEATTACKRANGE\LAUREL_GREENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278751Securityar-win-dc.attackrange.local-LAUREL_GREENATTACKRANGEATTACKRANGE\LAUREL_GREENATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 154100x800000000000000043251Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:20:19.432{501DA29B-4CF3-65D6-5304-000000004903}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000427551Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xcb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000427550Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xcb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427549Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1354C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 02/21/2024 19:20:19.721 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WILFORD_SUTTON@attackrange.local name=WILFORD_SUTTON displayName=WILFORD_SUTTON distinguishedName=CN=WILFORD_SUTTON,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=WILFORD_SUTTON cn=WILFORD_SUTTON Object Details: sAMAccountType=805306368 sAMAccountName=WILFORD_SUTTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2619 primaryGroupID=513 pwdLastSet=09:54.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=13a8b83c-f1e9-4171-89ff-aa322a1c7252 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:54.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82119 uSNCreated=27531 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=MA-cambrils4-distlist1,OU=Groups,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=MA-compilaci-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=ED-829-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.689 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CAROL_HOWARD@attackrange.local name=CAROL_HOWARD displayName=CAROL_HOWARD distinguishedName=CN=CAROL_HOWARD,OU=T1-Permissions,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=CAROL_HOWARD cn=CAROL_HOWARD Object Details: sAMAccountType=805306368 sAMAccountName=CAROL_HOWARD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1919 primaryGroupID=513 pwdLastSet=09:52.21 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=5beadfff-b8f0-45a0-bb42-b13a3bafa9b1 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.21 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82118 uSNCreated=22614 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-bih-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=TE-605221782-distlist1,OU=ServiceAccounts,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=JO-dia-admingroup1,OU=Devices,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=OD-4ke-admingroup1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ED-bal-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-potipoti1-distlist1,OU=Groups,OU=BDE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.658 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BLANCHE_RODRIQUEZ@attackrange.local name=BLANCHE_RODRIQUEZ displayName=BLANCHE_RODRIQUEZ distinguishedName=CN=BLANCHE_RODRIQUEZ,OU=Test,OU=ITS,OU=Tier 2,DC=attackrange,DC=local sn=BLANCHE_RODRIQUEZ cn=BLANCHE_RODRIQUEZ Object Details: sAMAccountType=805306368 sAMAccountName=BLANCHE_RODRIQUEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2904 primaryGroupID=513 pwdLastSet=09:55.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:55.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82117 uSNCreated=29533 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.627 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BRENT_BLAIR@attackrange.local name=BRENT_BLAIR displayName=BRENT_BLAIR distinguishedName=CN=BRENT_BLAIR,OU=OGC,OU=Tier 1,DC=attackrange,DC=local sn=BRENT_BLAIR cn=BRENT_BLAIR Object Details: sAMAccountType=805306368 sAMAccountName=BRENT_BLAIR logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1179 primaryGroupID=513 pwdLastSet=09:49.25 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=ec471159-8f74-4086-b739-aaa0677bec40 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:49.25 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82116 uSNCreated=17409 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.594 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALDO_HYDE@attackrange.local name=ALDO_HYDE displayName=ALDO_HYDE distinguishedName=CN=ALDO_HYDE,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=ALDO_HYDE cn=ALDO_HYDE Object Details: sAMAccountType=805306368 sAMAccountName=ALDO_HYDE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2362 primaryGroupID=513 pwdLastSet=09:53.59 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=e6696dca-02a3-43be-91e2-8052cb72dcf3 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:53.59 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82115 uSNCreated=25725 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.562 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=2160133923SA@attackrange.local name=2160133923SA displayName=2160133923SA distinguishedName=CN=2160133923SA,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=2160133923SA cn=2160133923SA Object Details: sAMAccountType=805306368 sAMAccountName=2160133923SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1926 primaryGroupID=513 pwdLastSet=09:52.23 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=736bce28-4ded-4198-a02e-5c0fe53fcb71 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.23 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82114 uSNCreated=22663 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|16010714223233.0Z memberOf=CN=HA-web-distlist1,OU=Devices,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=EL-650584980-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=RO-1.47258E1-distlist1,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=WA-bla-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=CA-estrellap-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=BE-welcome12-distlist1,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=ED-sag-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.516 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KERRY_LOPEZ@attackrange.local name=KERRY_LOPEZ displayName=KERRY_LOPEZ distinguishedName=CN=KERRY_LOPEZ,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local sn=KERRY_LOPEZ cn=KERRY_LOPEZ Object Details: sAMAccountType=805306368 sAMAccountName=KERRY_LOPEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2465 primaryGroupID=513 pwdLastSet=09:54.22 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=68ad2c07-9817-42d9-bf50-2527c45a260a whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:54.22 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82113 uSNCreated=26449 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=PR-davidjime-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=NE-ele-distlist1,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.485 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RACHEL_JOSEPH@attackrange.local name=RACHEL_JOSEPH displayName=RACHEL_JOSEPH distinguishedName=CN=RACHEL_JOSEPH,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local sn=RACHEL_JOSEPH cn=RACHEL_JOSEPH Object Details: sAMAccountType=805306368 sAMAccountName=RACHEL_JOSEPH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1432 primaryGroupID=513 pwdLastSet=09:50.28 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=7844eaab-1e76-432f-9dd8-291fb23f3d2c whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:50.28 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82112 uSNCreated=19189 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.453 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=HERSCHEL_PARKS@attackrange.local name=HERSCHEL_PARKS displayName=HERSCHEL_PARKS distinguishedName=CN=HERSCHEL_PARKS,OU=Admin,DC=attackrange,DC=local sn=HERSCHEL_PARKS cn=HERSCHEL_PARKS Object Details: sAMAccountType=805306368 sAMAccountName=HERSCHEL_PARKS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1189 primaryGroupID=513 pwdLastSet=09:49.28 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=d7734efb-b362-40c2-8c21-9e137af3d9bf whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:49.27 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82111 uSNCreated=17479 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.422 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LAUREL_GREEN@attackrange.local name=LAUREL_GREEN displayName=LAUREL_GREEN distinguishedName=CN=LAUREL_GREEN,OU=Devices,OU=FIN,OU=Tier 1,DC=attackrange,DC=local sn=LAUREL_GREEN cn=LAUREL_GREEN Object Details: sAMAccountType=805306368 sAMAccountName=LAUREL_GREEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1892 primaryGroupID=513 pwdLastSet=09:52.14 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=f2a6f7e6-6f63-4c2e-a265-a61e8cb3f8e2 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.14 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82110 uSNCreated=22424 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=QU-104744421-distlist1,OU=People,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=JE-che-distlist1,OU=FSR,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.619 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=WILFORD_SUTTON@attackrange.local name=WILFORD_SUTTON displayName=WILFORD_SUTTON distinguishedName=CN=WILFORD_SUTTON,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=WILFORD_SUTTON cn=WILFORD_SUTTON Object Details: sAMAccountType=805306368 sAMAccountName=WILFORD_SUTTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2619 primaryGroupID=513 pwdLastSet=09:54.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=13a8b83c-f1e9-4171-89ff-aa322a1c7252 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:54.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82119 uSNCreated=27531 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=MA-cambrils4-distlist1,OU=Groups,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=MA-compilaci-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=RO-yah-distlist1,OU=Devices,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=ED-829-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.587 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=CAROL_HOWARD@attackrange.local name=CAROL_HOWARD displayName=CAROL_HOWARD distinguishedName=CN=CAROL_HOWARD,OU=T1-Permissions,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=CAROL_HOWARD cn=CAROL_HOWARD Object Details: sAMAccountType=805306368 sAMAccountName=CAROL_HOWARD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1919 primaryGroupID=513 pwdLastSet=09:52.21 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=5beadfff-b8f0-45a0-bb42-b13a3bafa9b1 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.21 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82118 uSNCreated=22614 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-bih-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=AN-mar-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=TE-605221782-distlist1,OU=ServiceAccounts,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=AN-mil-admingroup1,OU=Test,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=JO-dia-admingroup1,OU=Devices,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=OD-4ke-admingroup1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=ED-bal-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-potipoti1-distlist1,OU=Groups,OU=BDE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.556 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BLANCHE_RODRIQUEZ@attackrange.local name=BLANCHE_RODRIQUEZ displayName=BLANCHE_RODRIQUEZ distinguishedName=CN=BLANCHE_RODRIQUEZ,OU=Test,OU=ITS,OU=Tier 2,DC=attackrange,DC=local sn=BLANCHE_RODRIQUEZ cn=BLANCHE_RODRIQUEZ Object Details: sAMAccountType=805306368 sAMAccountName=BLANCHE_RODRIQUEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2904 primaryGroupID=513 pwdLastSet=09:55.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=28cf1bec-b3ea-41f9-8f63-68ac2dfe1d79 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:55.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82117 uSNCreated=29533 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.525 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=BRENT_BLAIR@attackrange.local name=BRENT_BLAIR displayName=BRENT_BLAIR distinguishedName=CN=BRENT_BLAIR,OU=OGC,OU=Tier 1,DC=attackrange,DC=local sn=BRENT_BLAIR cn=BRENT_BLAIR Object Details: sAMAccountType=805306368 sAMAccountName=BRENT_BLAIR logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1179 primaryGroupID=513 pwdLastSet=09:49.25 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=ec471159-8f74-4086-b739-aaa0677bec40 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:49.25 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82116 uSNCreated=17409 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=MA-mal-distlist1,OU=Groups,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=ID-pinkandbl-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.478 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALDO_HYDE@attackrange.local name=ALDO_HYDE displayName=ALDO_HYDE distinguishedName=CN=ALDO_HYDE,OU=GOO,OU=Tier 2,DC=attackrange,DC=local sn=ALDO_HYDE cn=ALDO_HYDE Object Details: sAMAccountType=805306368 sAMAccountName=ALDO_HYDE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2362 primaryGroupID=513 pwdLastSet=09:53.59 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=e6696dca-02a3-43be-91e2-8052cb72dcf3 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:53.59 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82115 uSNCreated=25725 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.447 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=2160133923SA@attackrange.local name=2160133923SA displayName=2160133923SA distinguishedName=CN=2160133923SA,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=2160133923SA cn=2160133923SA Object Details: sAMAccountType=805306368 sAMAccountName=2160133923SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1926 primaryGroupID=513 pwdLastSet=09:52.23 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=736bce28-4ded-4198-a02e-5c0fe53fcb71 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.23 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82114 uSNCreated=22663 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|16010714223233.0Z memberOf=CN=HA-web-distlist1,OU=Devices,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=EL-650584980-distlist1,OU=Groups,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=IS-988471691-admingroup1,OU=Test,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=CA-mor-distlist1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=RO-1.47258E1-distlist1,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=VI-AVMM94042-distlist1,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=WA-bla-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=CA-estrellap-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=BE-welcome12-distlist1,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=ED-sag-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=AL-ollin9090-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.415 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KERRY_LOPEZ@attackrange.local name=KERRY_LOPEZ displayName=KERRY_LOPEZ distinguishedName=CN=KERRY_LOPEZ,OU=Devices,OU=HRE,OU=Stage,DC=attackrange,DC=local sn=KERRY_LOPEZ cn=KERRY_LOPEZ Object Details: sAMAccountType=805306368 sAMAccountName=KERRY_LOPEZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2465 primaryGroupID=513 pwdLastSet=09:54.22 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=68ad2c07-9817-42d9-bf50-2527c45a260a whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:54.22 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82113 uSNCreated=26449 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CO-909469223-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=PR-davidjime-admingroup1,OU=Test,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=NE-ele-distlist1,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:19.369 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RACHEL_JOSEPH@attackrange.local name=RACHEL_JOSEPH displayName=RACHEL_JOSEPH distinguishedName=CN=RACHEL_JOSEPH,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local sn=RACHEL_JOSEPH cn=RACHEL_JOSEPH Object Details: sAMAccountType=805306368 sAMAccountName=RACHEL_JOSEPH logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1432 primaryGroupID=513 pwdLastSet=09:50.28 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=7844eaab-1e76-432f-9dd8-291fb23f3d2c whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:50.28 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82112 uSNCreated=19189 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.353 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=HERSCHEL_PARKS@attackrange.local name=HERSCHEL_PARKS displayName=HERSCHEL_PARKS distinguishedName=CN=HERSCHEL_PARKS,OU=Admin,DC=attackrange,DC=local sn=HERSCHEL_PARKS cn=HERSCHEL_PARKS Object Details: sAMAccountType=805306368 sAMAccountName=HERSCHEL_PARKS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1189 primaryGroupID=513 pwdLastSet=09:49.28 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=d7734efb-b362-40c2-8c21-9e137af3d9bf whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:49.27 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82111 uSNCreated=17479 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:19.322 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LAUREL_GREEN@attackrange.local name=LAUREL_GREEN displayName=LAUREL_GREEN distinguishedName=CN=LAUREL_GREEN,OU=Devices,OU=FIN,OU=Tier 1,DC=attackrange,DC=local sn=LAUREL_GREEN cn=LAUREL_GREEN Object Details: sAMAccountType=805306368 sAMAccountName=LAUREL_GREEN logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1892 primaryGroupID=513 pwdLastSet=09:52.14 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=f2a6f7e6-6f63-4c2e-a265-a61e8cb3f8e2 whenChanged=07:20.19 PM, Wed 02/21/2024 whenCreated=09:52.14 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82110 uSNCreated=22424 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=BE-pau-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=QU-104744421-distlist1,OU=People,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=NA-memyselfi-distlist1,OU=Test,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=JE-che-distlist1,OU=FSR,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 4689001331300x8020000000000000278750Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 154100x800000000000000043250Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:20:18.850{501DA29B-4CF2-65D6-5204-000000004903}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427548Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1354C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 410615103150x0708622Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708621Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708620Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local9f0fd5cf-e34a-4de9-95d4-a7afd3b651ed2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708619Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled | Get-Random -Count 10 # Loop through each user and disable the account foreach ($user in $randomUsers) { try { Disable-ADAccount -Identity $user.SamAccountName Write-Host "Account disabled for user: $($user.SamAccountName)" } catch { Write-Host "Failed to disable account for user: $($user.SamAccountName)" } } # Output the users whose accounts were disabled Write-Host "Disabled accounts for the following users:" $randomUsers | Select-Object SamAccountName 9f0fd5cf-e34a-4de9-95d4-a7afd3b651ed 410615103150x0708618Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 154100x800000000000000045524Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:20:18.892{0b642d80-4cf2-65d6-9e04-00000000be02}4488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000045523Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:20:18.142{0b642d80-4cf2-65d6-9d04-00000000be02}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000278749Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000278748Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000278747Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x117cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 410515102150x0708617Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708616Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbb8cfd75-aa66-43a6-9351-db0b42e8734e2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708615Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708614Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708613Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbb8cfd75-aa66-43a6-9351-db0b42e8734e2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708612Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptbb8cfd75-aa66-43a6-9351-db0b42e8734e 410615103150x0708611Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708610Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708609Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local23f698fc-5197-42b9-9202-fac7d82ac0962b535b4c-a403-4565-9d75-b1fc8c18a9ac 4725001382400x8020000000000000278746Securityar-win-dc.attackrange.localROSS_PHELPSATTACKRANGEATTACKRANGE\ROSS_PHELPSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278745Securityar-win-dc.attackrange.local-ROSS_PHELPSATTACKRANGEATTACKRANGE\ROSS_PHELPSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278744Securityar-win-dc.attackrange.localLUCIEN_YANGATTACKRANGEATTACKRANGE\LUCIEN_YANGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278743Securityar-win-dc.attackrange.local-LUCIEN_YANGATTACKRANGEATTACKRANGE\LUCIEN_YANGATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278742Securityar-win-dc.attackrange.localSERENA_ROYATTACKRANGEATTACKRANGE\SERENA_ROYATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278741Securityar-win-dc.attackrange.local-SERENA_ROYATTACKRANGEATTACKRANGE\SERENA_ROYATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278740Securityar-win-dc.attackrange.localVAUGHN_SUTTONATTACKRANGEATTACKRANGE\VAUGHN_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278739Securityar-win-dc.attackrange.local-VAUGHN_SUTTONATTACKRANGEATTACKRANGE\VAUGHN_SUTTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 02/21/2024 19:20:15.076 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROSS_PHELPS@attackrange.local name=ROSS_PHELPS displayName=ROSS_PHELPS distinguishedName=CN=ROSS_PHELPS,OU=T2-Devices,OU=Tier 2,OU=Admin,DC=attackrange,DC=local sn=ROSS_PHELPS cn=ROSS_PHELPS Object Details: sAMAccountType=805306368 sAMAccountName=ROSS_PHELPS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3597 primaryGroupID=513 pwdLastSet=09:58.13 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=470685c5-367e-49c8-8a76-b68695986ea8 whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:58.12 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82109 uSNCreated=34405 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=FR-maj-distlist1,OU=T0-Permissions,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ES-so0-admingroup1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=CA-bbb-distlist1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=Gu-santaolaj-admingroup1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=ED-sag-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:15.043 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LUCIEN_YANG@attackrange.local name=LUCIEN_YANG displayName=LUCIEN_YANG distinguishedName=CN=LUCIEN_YANG,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=LUCIEN_YANG cn=LUCIEN_YANG Object Details: sAMAccountType=805306368 sAMAccountName=LUCIEN_YANG logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1681 primaryGroupID=513 pwdLastSet=09:51.26 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4a579f37-7c2b-419d-a81c-fd300e833fc0 whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:51.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82108 uSNCreated=20938 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=GA-mabelis19-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=KR-51de52ni5-admingroup1,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=PA-26d-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=WA-OMARANTON-distlist1,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=AS-189-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local|CN=QU-nin-distlist1,OU=Groups,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=SU-221-distlist1,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AN-allisonro-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:15.028 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=SERENA_ROY@attackrange.local name=SERENA_ROY displayName=SERENA_ROY distinguishedName=CN=SERENA_ROY,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=SERENA_ROY cn=SERENA_ROY Object Details: sAMAccountType=805306368 sAMAccountName=SERENA_ROY logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1309 primaryGroupID=513 pwdLastSet=09:49.58 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=83b9a74e-157e-4b15-b71e-afdd77e94f7e whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:49.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82107 uSNCreated=18323 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ST-712-admingroup1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AN-alfonsoca-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=BO-abi-distlist1,OU=Stage,DC=attackrange,DC=local|CN=NA-pay-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 4725001382400x8020000000000000278738Securityar-win-dc.attackrange.localPEDRO_DIXONATTACKRANGEATTACKRANGE\PEDRO_DIXONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278737Securityar-win-dc.attackrange.local-PEDRO_DIXONATTACKRANGEATTACKRANGE\PEDRO_DIXONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278736Securityar-win-dc.attackrange.localDREW_CLAYTONATTACKRANGEATTACKRANGE\DREW_CLAYTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278735Securityar-win-dc.attackrange.local-DREW_CLAYTONATTACKRANGEATTACKRANGE\DREW_CLAYTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278734Securityar-win-dc.attackrange.local1655173318SAATTACKRANGEATTACKRANGE\1655173318SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278733Securityar-win-dc.attackrange.local-1655173318SAATTACKRANGEATTACKRANGE\1655173318SAATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278732Securityar-win-dc.attackrange.localLEMUEL_LEEATTACKRANGEATTACKRANGE\LEMUEL_LEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278731Securityar-win-dc.attackrange.local-LEMUEL_LEEATTACKRANGEATTACKRANGE\LEMUEL_LEEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278730Securityar-win-dc.attackrange.localDANIAL_MEYERATTACKRANGEATTACKRANGE\DANIAL_MEYERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278729Securityar-win-dc.attackrange.local-DANIAL_MEYERATTACKRANGEATTACKRANGE\DANIAL_MEYERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278728Securityar-win-dc.attackrange.localALLIE_FLOYDATTACKRANGEATTACKRANGE\ALLIE_FLOYDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278727Securityar-win-dc.attackrange.local-ALLIE_FLOYDATTACKRANGEATTACKRANGE\ALLIE_FLOYDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 02/21/2024 19:20:14.971 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROSS_PHELPS@attackrange.local name=ROSS_PHELPS displayName=ROSS_PHELPS distinguishedName=CN=ROSS_PHELPS,OU=T2-Devices,OU=Tier 2,OU=Admin,DC=attackrange,DC=local sn=ROSS_PHELPS cn=ROSS_PHELPS Object Details: sAMAccountType=805306368 sAMAccountName=ROSS_PHELPS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3597 primaryGroupID=513 pwdLastSet=09:58.13 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=470685c5-367e-49c8-8a76-b68695986ea8 whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:58.12 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82109 uSNCreated=34405 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=FR-maj-distlist1,OU=T0-Permissions,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=ES-so0-admingroup1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-sdf-distlist1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=CA-bbb-distlist1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=Gu-santaolaj-admingroup1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=ED-sag-admingroup1,OU=Devices,OU=SEC,OU=Tier 1,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.940 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LUCIEN_YANG@attackrange.local name=LUCIEN_YANG displayName=LUCIEN_YANG distinguishedName=CN=LUCIEN_YANG,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=LUCIEN_YANG cn=LUCIEN_YANG Object Details: sAMAccountType=805306368 sAMAccountName=LUCIEN_YANG logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1681 primaryGroupID=513 pwdLastSet=09:51.26 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4a579f37-7c2b-419d-a81c-fd300e833fc0 whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:51.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82108 uSNCreated=20938 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=RA-edufer191-distlist1,OU=Groups,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=GA-mabelis19-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=KR-51de52ni5-admingroup1,OU=AZR,OU=Tier 1,DC=attackrange,DC=local|CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=PA-26d-distlist1,OU=Test,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=WA-OMARANTON-distlist1,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=AS-189-distlist1,OU=OGC,OU=People,DC=attackrange,DC=local|CN=QU-nin-distlist1,OU=Groups,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=SU-221-distlist1,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=WI-ascarothh-admingroup1,OU=.SecFrame.com,DC=attackrange,DC=local|CN=AN-allisonro-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.924 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=SERENA_ROY@attackrange.local name=SERENA_ROY displayName=SERENA_ROY distinguishedName=CN=SERENA_ROY,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=SERENA_ROY cn=SERENA_ROY Object Details: sAMAccountType=805306368 sAMAccountName=SERENA_ROY logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1309 primaryGroupID=513 pwdLastSet=09:49.58 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=83b9a74e-157e-4b15-b71e-afdd77e94f7e whenChanged=07:20.15 PM, Wed 02/21/2024 whenCreated=09:49.58 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82107 uSNCreated=18323 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=ST-712-admingroup1,OU=Groups,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=AN-alfonsoca-distlist1,OU=Devices,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=MA-aud-distlist1,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=BO-abi-distlist1,OU=Stage,DC=attackrange,DC=local|CN=NA-pay-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=AN-izzie3331-admingroup1,OU=Groups,OU=GOO,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.893 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=VAUGHN_SUTTON@attackrange.local name=VAUGHN_SUTTON displayName=VAUGHN_SUTTON distinguishedName=CN=VAUGHN_SUTTON,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=VAUGHN_SUTTON cn=VAUGHN_SUTTON Object Details: sAMAccountType=805306368 sAMAccountName=VAUGHN_SUTTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1817 primaryGroupID=513 pwdLastSet=09:51.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=64e0498f-b114-4343-bebe-740123c62af5 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:51.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82106 uSNCreated=21896 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:14.861 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=PEDRO_DIXON@attackrange.local name=PEDRO_DIXON displayName=PEDRO_DIXON distinguishedName=CN=PEDRO_DIXON,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local sn=PEDRO_DIXON cn=PEDRO_DIXON Object Details: sAMAccountType=805306368 sAMAccountName=PEDRO_DIXON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1337 primaryGroupID=513 pwdLastSet=09:50.04 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=452eb667-c748-45de-aea2-40ff56ef1ad6 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:50.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82105 uSNCreated=18520 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:14.830 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DREW_CLAYTON@attackrange.local name=DREW_CLAYTON displayName=DREW_CLAYTON distinguishedName=CN=DREW_CLAYTON,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=DREW_CLAYTON cn=DREW_CLAYTON Object Details: sAMAccountType=805306368 sAMAccountName=DREW_CLAYTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2624 primaryGroupID=513 pwdLastSet=09:54.55 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8fa93ac4-a05f-41b7-9f0b-d1ad481ce475 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:54.55 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82104 uSNCreated=27566 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=BI-joseoscar-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=BR-zub-distlist1,OU=ServiceAccounts,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.815 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=1655173318SA@attackrange.local name=1655173318SA displayName=1655173318SA distinguishedName=CN=1655173318SA,OU=Staging,OU=Admin,DC=attackrange,DC=local sn=1655173318SA cn=1655173318SA Object Details: sAMAccountType=805306368 sAMAccountName=1655173318SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1549 primaryGroupID=513 pwdLastSet=09:50.57 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=1c020303-cd49-45d9-98fa-992835b309b9 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:50.57 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82103 uSNCreated=20011 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EL-laantifas-admingroup1,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=QU-104744421-distlist1,OU=People,DC=attackrange,DC=local|CN=AM-eiser_eis-distlist1,OU=T2-Devices,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MA-alo-distlist1,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CA-estrellap-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=RDS Remote Access Servers,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.783 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LEMUEL_LEE@attackrange.local name=LEMUEL_LEE displayName=LEMUEL_LEE distinguishedName=CN=LEMUEL_LEE,OU=People,DC=attackrange,DC=local sn=LEMUEL_LEE cn=LEMUEL_LEE Object Details: sAMAccountType=805306368 sAMAccountName=LEMUEL_LEE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3145 primaryGroupID=513 pwdLastSet=09:56.41 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=913416bc-04e8-4e09-8714-6b1d12b78209 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.41 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82102 uSNCreated=31226 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=RI-971-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-MUGROSITA-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.752 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DANIAL_MEYER@attackrange.local name=DANIAL_MEYER displayName=DANIAL_MEYER distinguishedName=CN=DANIAL_MEYER,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=DANIAL_MEYER cn=DANIAL_MEYER Object Details: sAMAccountType=805306368 sAMAccountName=DANIAL_MEYER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2966 primaryGroupID=513 pwdLastSet=09:56.07 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=1b538611-d262-458a-ab5e-4ac24c9e2c9c whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.07 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82101 uSNCreated=29968 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=DA-pin-admingroup1,OU=Groups,OU=OGC,OU=Stage,DC=attackrange,DC=local memberOf=CN=TA-beika0611-distlist1,OU=Tier 2,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=VE-at.madrid-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=BL-adi-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=41-tua-admingroup1,OU=Quarantine,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AN-swe-admingroup1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.733 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALLIE_FLOYD@attackrange.local name=ALLIE_FLOYD displayName=ALLIE_FLOYD distinguishedName=CN=ALLIE_FLOYD,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local sn=ALLIE_FLOYD cn=ALLIE_FLOYD Object Details: sAMAccountType=805306368 sAMAccountName=ALLIE_FLOYD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3209 primaryGroupID=513 pwdLastSet=09:56.53 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=6cc5db29-75b2-4ef5-a3ad-1fa0c84a1a47 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.53 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82100 uSNCreated=31675 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=DE-misterio6-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=CH-1314debor-distlist1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=HU-viv-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=DA-vinotinto-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RA-Esk-distlist1,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.996 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=VAUGHN_SUTTON@attackrange.local name=VAUGHN_SUTTON displayName=VAUGHN_SUTTON distinguishedName=CN=VAUGHN_SUTTON,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=VAUGHN_SUTTON cn=VAUGHN_SUTTON Object Details: sAMAccountType=805306368 sAMAccountName=VAUGHN_SUTTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1817 primaryGroupID=513 pwdLastSet=09:51.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=64e0498f-b114-4343-bebe-740123c62af5 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:51.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82106 uSNCreated=21896 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:14.981 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=PEDRO_DIXON@attackrange.local name=PEDRO_DIXON displayName=PEDRO_DIXON distinguishedName=CN=PEDRO_DIXON,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local sn=PEDRO_DIXON cn=PEDRO_DIXON Object Details: sAMAccountType=805306368 sAMAccountName=PEDRO_DIXON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1337 primaryGroupID=513 pwdLastSet=09:50.04 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=452eb667-c748-45de-aea2-40ff56ef1ad6 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:50.04 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82105 uSNCreated=18520 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:14.950 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DREW_CLAYTON@attackrange.local name=DREW_CLAYTON displayName=DREW_CLAYTON distinguishedName=CN=DREW_CLAYTON,OU=Test,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=DREW_CLAYTON cn=DREW_CLAYTON Object Details: sAMAccountType=805306368 sAMAccountName=DREW_CLAYTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2624 primaryGroupID=513 pwdLastSet=09:54.55 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8fa93ac4-a05f-41b7-9f0b-d1ad481ce475 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:54.55 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82104 uSNCreated=27566 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BI-170-admingroup1,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=BI-joseoscar-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=FA-lau-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=CH-neu-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=BR-zub-distlist1,OU=ServiceAccounts,OU=HRE,OU=Tier 1,DC=attackrange,DC=local|CN=DU-jos-distlist1,OU=T1-Devices,OU=Tier 1,OU=Admin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.918 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=1655173318SA@attackrange.local name=1655173318SA displayName=1655173318SA distinguishedName=CN=1655173318SA,OU=Staging,OU=Admin,DC=attackrange,DC=local sn=1655173318SA cn=1655173318SA Object Details: sAMAccountType=805306368 sAMAccountName=1655173318SA logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1549 primaryGroupID=513 pwdLastSet=09:50.57 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=1c020303-cd49-45d9-98fa-992835b309b9 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:50.57 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82103 uSNCreated=20011 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=EL-laantifas-admingroup1,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=QU-104744421-distlist1,OU=People,DC=attackrange,DC=local|CN=AM-eiser_eis-distlist1,OU=T2-Devices,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MA-alo-distlist1,OU=Devices,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=CA-estrellap-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ED-ich-admingroup1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=RDS Remote Access Servers,CN=Builtin,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.887 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=LEMUEL_LEE@attackrange.local name=LEMUEL_LEE displayName=LEMUEL_LEE distinguishedName=CN=LEMUEL_LEE,OU=People,DC=attackrange,DC=local sn=LEMUEL_LEE cn=LEMUEL_LEE Object Details: sAMAccountType=805306368 sAMAccountName=LEMUEL_LEE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3145 primaryGroupID=513 pwdLastSet=09:56.41 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=913416bc-04e8-4e09-8714-6b1d12b78209 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.41 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82102 uSNCreated=31226 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=RI-971-distlist1,OU=Test,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=RA-MUGROSITA-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.856 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DANIAL_MEYER@attackrange.local name=DANIAL_MEYER displayName=DANIAL_MEYER distinguishedName=CN=DANIAL_MEYER,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local sn=DANIAL_MEYER cn=DANIAL_MEYER Object Details: sAMAccountType=805306368 sAMAccountName=DANIAL_MEYER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2966 primaryGroupID=513 pwdLastSet=09:56.07 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=1b538611-d262-458a-ab5e-4ac24c9e2c9c whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.07 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82101 uSNCreated=29968 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=DA-pin-admingroup1,OU=Groups,OU=OGC,OU=Stage,DC=attackrange,DC=local memberOf=CN=TA-beika0611-distlist1,OU=Tier 2,DC=attackrange,DC=local|CN=LE-elemarioe-distlist1,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=VE-at.madrid-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=BL-adi-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=41-tua-admingroup1,OU=Quarantine,DC=attackrange,DC=local|CN=HA-440-distlist1,OU=Test,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=AN-swe-admingroup1,OU=ServiceAccounts,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=NA-pri-admingroup1,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:14.840 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALLIE_FLOYD@attackrange.local name=ALLIE_FLOYD displayName=ALLIE_FLOYD distinguishedName=CN=ALLIE_FLOYD,OU=Devices,OU=OGC,OU=Tier 1,DC=attackrange,DC=local sn=ALLIE_FLOYD cn=ALLIE_FLOYD Object Details: sAMAccountType=805306368 sAMAccountName=ALLIE_FLOYD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3209 primaryGroupID=513 pwdLastSet=09:56.53 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=6cc5db29-75b2-4ef5-a3ad-1fa0c84a1a47 whenChanged=07:20.14 PM, Wed 02/21/2024 whenCreated=09:56.53 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82100 uSNCreated=31675 instanceType=4 Additional Details: dSCorePropagationData=20240220220330.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=DE-misterio6-admingroup1,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=CH-1314debor-distlist1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=HU-viv-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=DA-vinotinto-distlist1,OU=AZR,OU=Stage,DC=attackrange,DC=local|CN=RA-Esk-distlist1,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=GE-art-distlist1,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 410615103150x0708608Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708607Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708606Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local23f698fc-5197-42b9-9202-fac7d82ac0962b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708605Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled | Get-Random -Count 10 # Loop through each user and disable the account foreach ($user in $randomUsers) { try { Disable-ADAccount -Identity $user.SamAccountName Write-Host "Account disabled for user: $($user.SamAccountName)" } catch { Write-Host "Failed to disable account for user: $($user.SamAccountName)" } } # Output the users whose accounts were disabled Write-Host "Disabled accounts for the following users:" $randomUsers | Select-Object SamAccountName 23f698fc-5197-42b9-9202-fac7d82ac096 410615103150x0708604Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708603Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708602Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local95b2198a-ec47-4e47-b83e-f8eefad3c7442b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708601Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708600Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708599Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local95b2198a-ec47-4e47-b83e-f8eefad3c7442b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708598Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11prompt95b2198a-ec47-4e47-b83e-f8eefad3c744 410615103150x0708597Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708596Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708595Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local58ec6f8d-01cd-4fa9-88a2-62a15823e3d82b535b4c-a403-4565-9d75-b1fc8c18a9ac 4725001382400x8020000000000000278726Securityar-win-dc.attackrange.localFAITH_KNOWLESATTACKRANGEATTACKRANGE\FAITH_KNOWLESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278725Securityar-win-dc.attackrange.local-FAITH_KNOWLESATTACKRANGEATTACKRANGE\FAITH_KNOWLESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278724Securityar-win-dc.attackrange.localGALE_SCHULTZATTACKRANGEATTACKRANGE\GALE_SCHULTZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278723Securityar-win-dc.attackrange.local-GALE_SCHULTZATTACKRANGEATTACKRANGE\GALE_SCHULTZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278722Securityar-win-dc.attackrange.localANNE_HARRISATTACKRANGEATTACKRANGE\ANNE_HARRISATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278721Securityar-win-dc.attackrange.local-ANNE_HARRISATTACKRANGEATTACKRANGE\ANNE_HARRISATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 02/21/2024 19:20:10.071 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FAITH_KNOWLES@attackrange.local name=FAITH_KNOWLES displayName=FAITH_KNOWLES distinguishedName=CN=FAITH_KNOWLES,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=FAITH_KNOWLES cn=FAITH_KNOWLES Object Details: sAMAccountType=805306368 sAMAccountName=FAITH_KNOWLES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3436 primaryGroupID=513 pwdLastSet=09:57.38 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=db182e2d-23bd-44b2-aa88-4398b5c749e3 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:57.38 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82099 uSNCreated=33272 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=AN-ame197979-distlist1,OU=Devices,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=GA-mabelis19-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=34-faz-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=JE-geminis89-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=BL-adi-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=SO-karajo200-distlist1,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=DE-tuming100-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:10.039 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GALE_SCHULTZ@attackrange.local name=GALE_SCHULTZ displayName=GALE_SCHULTZ distinguishedName=CN=GALE_SCHULTZ,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=GALE_SCHULTZ cn=GALE_SCHULTZ Object Details: sAMAccountType=805306368 sAMAccountName=GALE_SCHULTZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2725 primaryGroupID=513 pwdLastSet=09:55.16 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=c303cfc3-1574-4544-8582-0768c6188242 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:55.16 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82098 uSNCreated=28273 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z managedObjects=CN=GA-simplemen-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=RO-1.47258E1-distlist1,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RO-misamores-distlist1,OU=ServiceAccounts,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RO-d0t-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=KI-gra-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:10.008 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ANNE_HARRIS@attackrange.local name=ANNE_HARRIS displayName=ANNE_HARRIS distinguishedName=CN=ANNE_HARRIS,OU=HRE,OU=People,DC=attackrange,DC=local sn=ANNE_HARRIS cn=ANNE_HARRIS Object Details: sAMAccountType=805306368 sAMAccountName=ANNE_HARRIS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2507 primaryGroupID=513 pwdLastSet=09:54.30 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=011a1536-a2ac-4971-80b2-9c647fc2ef67 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:54.30 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82097 uSNCreated=26744 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 4725001382400x8020000000000000278720Securityar-win-dc.attackrange.localIMOGENE_CROSSATTACKRANGEATTACKRANGE\IMOGENE_CROSSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278719Securityar-win-dc.attackrange.local-IMOGENE_CROSSATTACKRANGEATTACKRANGE\IMOGENE_CROSSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278718Securityar-win-dc.attackrange.localANDREW_SANDERSATTACKRANGEATTACKRANGE\ANDREW_SANDERSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278717Securityar-win-dc.attackrange.local-ANDREW_SANDERSATTACKRANGEATTACKRANGE\ANDREW_SANDERSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278716Securityar-win-dc.attackrange.localJESS_COLONATTACKRANGEATTACKRANGE\JESS_COLONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278715Securityar-win-dc.attackrange.local-JESS_COLONATTACKRANGEATTACKRANGE\JESS_COLONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278714Securityar-win-dc.attackrange.localHUMBERTO_CRAWFORDATTACKRANGEATTACKRANGE\HUMBERTO_CRAWFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278713Securityar-win-dc.attackrange.local-HUMBERTO_CRAWFORDATTACKRANGEATTACKRANGE\HUMBERTO_CRAWFORDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278712Securityar-win-dc.attackrange.localMARCEL_GOFFATTACKRANGEATTACKRANGE\MARCEL_GOFFATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278711Securityar-win-dc.attackrange.local-MARCEL_GOFFATTACKRANGEATTACKRANGE\MARCEL_GOFFATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278710Securityar-win-dc.attackrange.localVAUGHN_CHANDLERATTACKRANGEATTACKRANGE\VAUGHN_CHANDLERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278709Securityar-win-dc.attackrange.local-VAUGHN_CHANDLERATTACKRANGEATTACKRANGE\VAUGHN_CHANDLERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278708Securityar-win-dc.attackrange.localFRANK_CHARLESATTACKRANGEATTACKRANGE\FRANK_CHARLESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278707Securityar-win-dc.attackrange.local-FRANK_CHARLESATTACKRANGEATTACKRANGE\FRANK_CHARLESATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 02/21/2024 19:20:09.992 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=IMOGENE_CROSS@attackrange.local name=IMOGENE_CROSS displayName=IMOGENE_CROSS distinguishedName=CN=IMOGENE_CROSS,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local sn=IMOGENE_CROSS cn=IMOGENE_CROSS Object Details: sAMAccountType=805306368 sAMAccountName=IMOGENE_CROSS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3012 primaryGroupID=513 pwdLastSet=09:56.16 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=375dd584-edc5-401b-9285-2a6e2de3ccf5 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:56.16 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82096 uSNCreated=30292 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:09.961 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ANDREW_SANDERS@attackrange.local name=ANDREW_SANDERS displayName=ANDREW_SANDERS distinguishedName=CN=ANDREW_SANDERS,OU=T1-Permissions,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=ANDREW_SANDERS cn=ANDREW_SANDERS Object Details: sAMAccountType=805306368 sAMAccountName=ANDREW_SANDERS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1471 primaryGroupID=513 pwdLastSet=09:50.37 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8e006fe2-9036-4606-b02d-f2df03cb1418 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:50.37 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82095 uSNCreated=19463 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-toimoilea-distlist1,OU=Groups,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-ismael98_-distlist1,OU=Groups,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=VI-tut-distlist1,OU=Devices,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AL-mon-distlist1,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=Allowed RODC Password Replication Group,CN=Users,DC=attackrange,DC=local description=Just so I dont forget my password is 7prNZEMMkjv!eS5659J6%Ca 02/21/2024 19:20:09.930 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JESS_COLON@attackrange.local name=JESS_COLON displayName=JESS_COLON distinguishedName=CN=JESS_COLON,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local sn=JESS_COLON cn=JESS_COLON Object Details: sAMAccountType=805306368 sAMAccountName=JESS_COLON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1601 primaryGroupID=513 pwdLastSet=09:51.10 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=0027d02e-5b87-4cac-ad63-97ea9fbcf2ae whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:51.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82094 uSNCreated=20376 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z managedObjects=CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local memberOf=CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=AN-k01-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-dvd-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=VA-ROZO12345-distlist1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=RE-ama-distlist1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RA-Esk-distlist1,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=KA-morenatea-admingroup1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=VE-at.madrid-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-conflict1-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=GO-Killadelp-distlist1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.899 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=HUMBERTO_CRAWFORD@attackrange.local name=HUMBERTO_CRAWFORD displayName=HUMBERTO_CRAWFORD distinguishedName=CN=HUMBERTO_CRAWFORD,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=HUMBERTO_CRAWFORD cn=HUMBERTO_CRAWFORD Object Details: sAMAccountType=805306368 sAMAccountName=HUMBERTO_CRAWFORD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3578 primaryGroupID=513 pwdLastSet=09:58.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=9d36734b-0dd8-4fd9-b626-28cc15dc9bce whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:58.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82093 uSNCreated=34271 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=HU-viv-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=DA-jesusesmi-distlist1,OU=Quarantine,DC=attackrange,DC=local|CN=CH-1314debor-distlist1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=94-152898251-distlist1,OU=Devices,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.883 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARCEL_GOFF@attackrange.local name=MARCEL_GOFF displayName=MARCEL_GOFF distinguishedName=CN=MARCEL_GOFF,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=MARCEL_GOFF cn=MARCEL_GOFF Object Details: sAMAccountType=805306368 sAMAccountName=MARCEL_GOFF logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3217 primaryGroupID=513 pwdLastSet=09:56.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=5f47a4d8-486c-478f-afb6-4fd84e784c4a whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:56.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82092 uSNCreated=31731 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ST-stormng5m-admingroup1,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.836 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=VAUGHN_CHANDLER@attackrange.local name=VAUGHN_CHANDLER displayName=VAUGHN_CHANDLER distinguishedName=CN=VAUGHN_CHANDLER,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=attackrange,DC=local sn=VAUGHN_CHANDLER cn=VAUGHN_CHANDLER Object Details: sAMAccountType=805306368 sAMAccountName=VAUGHN_CHANDLER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2196 primaryGroupID=513 pwdLastSet=09:53.23 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=87a21a52-3240-4c2f-b71e-404c12b257c1 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:53.23 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82091 uSNCreated=24558 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local memberOf=CN=KA-morenatea-admingroup1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=RI-romaomuer-distlist1,OU=Groups,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=DnsUpdateProxy,CN=Users,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.805 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FRANK_CHARLES@attackrange.local name=FRANK_CHARLES displayName=FRANK_CHARLES distinguishedName=CN=FRANK_CHARLES,OU=Testing,DC=attackrange,DC=local sn=FRANK_CHARLES cn=FRANK_CHARLES Object Details: sAMAccountType=805306368 sAMAccountName=FRANK_CHARLES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2130 primaryGroupID=513 pwdLastSet=09:53.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=f23ff473-ac7f-4b83-bd0c-f7d067ed5f9e whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:53.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82090 uSNCreated=24094 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JE-CHARLIEAN-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ID-jaumejuan-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=LA-9mesesjua-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-allisonro-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.960 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FAITH_KNOWLES@attackrange.local name=FAITH_KNOWLES displayName=FAITH_KNOWLES distinguishedName=CN=FAITH_KNOWLES,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=FAITH_KNOWLES cn=FAITH_KNOWLES Object Details: sAMAccountType=805306368 sAMAccountName=FAITH_KNOWLES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3436 primaryGroupID=513 pwdLastSet=09:57.38 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=db182e2d-23bd-44b2-aa88-4398b5c749e3 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:57.38 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82099 uSNCreated=33272 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=FA-new-distlist1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=AN-ame197979-distlist1,OU=Devices,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=GA-mabelis19-distlist1,OU=Staging,OU=Admin,DC=attackrange,DC=local|CN=34-faz-distlist1,OU=Groups,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=JE-geminis89-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=AN-stay811io-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=DE-ber-distlist1,OU=Devices,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=BL-adi-distlist1,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JU-awanteyre-distlist1,OU=Unassociated,OU=People,DC=attackrange,DC=local|CN=SO-karajo200-distlist1,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=DE-tuming100-distlist1,OU=AWS,OU=Tier 2,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.929 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=GALE_SCHULTZ@attackrange.local name=GALE_SCHULTZ displayName=GALE_SCHULTZ distinguishedName=CN=GALE_SCHULTZ,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=GALE_SCHULTZ cn=GALE_SCHULTZ Object Details: sAMAccountType=805306368 sAMAccountName=GALE_SCHULTZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2725 primaryGroupID=513 pwdLastSet=09:55.16 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=c303cfc3-1574-4544-8582-0768c6188242 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:55.16 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82098 uSNCreated=28273 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714042433.0Z managedObjects=CN=GA-simplemen-distlist1,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=GA-drd-admingroup1,OU=ServiceAccounts,OU=GOO,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=BR-uni-admingroup1,OU=ITS,OU=People,DC=attackrange,DC=local|CN=RO-1.47258E1-distlist1,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=RO-misamores-distlist1,OU=ServiceAccounts,OU=HRE,OU=Tier 2,DC=attackrange,DC=local|CN=RO-d0t-admingroup1,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=KI-gra-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local|CN=CA-sa5-distlist1,OU=Devices,OU=ITS,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.913 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ANNE_HARRIS@attackrange.local name=ANNE_HARRIS displayName=ANNE_HARRIS distinguishedName=CN=ANNE_HARRIS,OU=HRE,OU=People,DC=attackrange,DC=local sn=ANNE_HARRIS cn=ANNE_HARRIS Object Details: sAMAccountType=805306368 sAMAccountName=ANNE_HARRIS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2507 primaryGroupID=513 pwdLastSet=09:54.30 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=011a1536-a2ac-4971-80b2-9c647fc2ef67 whenChanged=07:20.10 PM, Wed 02/21/2024 whenCreated=09:54.30 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82097 uSNCreated=26744 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:09.882 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=IMOGENE_CROSS@attackrange.local name=IMOGENE_CROSS displayName=IMOGENE_CROSS distinguishedName=CN=IMOGENE_CROSS,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local sn=IMOGENE_CROSS cn=IMOGENE_CROSS Object Details: sAMAccountType=805306368 sAMAccountName=IMOGENE_CROSS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3012 primaryGroupID=513 pwdLastSet=09:56.16 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=375dd584-edc5-401b-9285-2a6e2de3ccf5 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:56.16 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82096 uSNCreated=30292 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:09.851 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ANDREW_SANDERS@attackrange.local name=ANDREW_SANDERS displayName=ANDREW_SANDERS distinguishedName=CN=ANDREW_SANDERS,OU=T1-Permissions,OU=Tier 1,OU=Admin,DC=attackrange,DC=local sn=ANDREW_SANDERS cn=ANDREW_SANDERS Object Details: sAMAccountType=805306368 sAMAccountName=ANDREW_SANDERS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1471 primaryGroupID=513 pwdLastSet=09:50.37 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8e006fe2-9036-4606-b02d-f2df03cb1418 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:50.37 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82095 uSNCreated=19463 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-toimoilea-distlist1,OU=Groups,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=BR-ismael98_-distlist1,OU=Groups,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=VI-tut-distlist1,OU=Devices,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=AL-mon-distlist1,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=Allowed RODC Password Replication Group,CN=Users,DC=attackrange,DC=local description=Just so I dont forget my password is 7prNZEMMkjv!eS5659J6%Ca 02/21/2024 19:20:09.835 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=JESS_COLON@attackrange.local name=JESS_COLON displayName=JESS_COLON distinguishedName=CN=JESS_COLON,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local sn=JESS_COLON cn=JESS_COLON Object Details: sAMAccountType=805306368 sAMAccountName=JESS_COLON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1601 primaryGroupID=513 pwdLastSet=09:51.10 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=0027d02e-5b87-4cac-ad63-97ea9fbcf2ae whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:51.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82094 uSNCreated=20376 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z managedObjects=CN=JE-tom-distlist1,OU=Groups,OU=ESM,OU=Tier 2,DC=attackrange,DC=local memberOf=CN=BE-100-distlist1,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=AN-k01-distlist1,OU=Test,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=MA-dvd-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=VA-ROZO12345-distlist1,OU=Groups,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=RE-ama-distlist1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=RA-Esk-distlist1,OU=TST,OU=Tier 1,DC=attackrange,DC=local|CN=KA-morenatea-admingroup1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=VE-at.madrid-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=CH-conflict1-distlist1,OU=Groups,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=GO-Killadelp-distlist1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.804 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=HUMBERTO_CRAWFORD@attackrange.local name=HUMBERTO_CRAWFORD displayName=HUMBERTO_CRAWFORD distinguishedName=CN=HUMBERTO_CRAWFORD,OU=Devices,OU=BDE,OU=Stage,DC=attackrange,DC=local sn=HUMBERTO_CRAWFORD cn=HUMBERTO_CRAWFORD Object Details: sAMAccountType=805306368 sAMAccountName=HUMBERTO_CRAWFORD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3578 primaryGroupID=513 pwdLastSet=09:58.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=9d36734b-0dd8-4fd9-b626-28cc15dc9bce whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:58.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82093 uSNCreated=34271 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z managedObjects=CN=HU-viv-distlist1,OU=Groups,OU=AWS,OU=Tier 1,DC=attackrange,DC=local memberOf=CN=DA-jesusesmi-distlist1,OU=Quarantine,DC=attackrange,DC=local|CN=CH-1314debor-distlist1,OU=Groups,OU=OGC,OU=Tier 1,DC=attackrange,DC=local|CN=VI-1254guapa-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local|CN=RO-757-distlist1,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=AN-hopitalma-admingroup1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=94-152898251-distlist1,OU=Devices,OU=TST,OU=Tier 2,DC=attackrange,DC=local|CN=TA-ulises870-distlist1,OU=Test,OU=GOO,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.773 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=MARCEL_GOFF@attackrange.local name=MARCEL_GOFF displayName=MARCEL_GOFF distinguishedName=CN=MARCEL_GOFF,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=MARCEL_GOFF cn=MARCEL_GOFF Object Details: sAMAccountType=805306368 sAMAccountName=MARCEL_GOFF logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3217 primaryGroupID=513 pwdLastSet=09:56.54 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=5f47a4d8-486c-478f-afb6-4fd84e784c4a whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:56.54 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82092 uSNCreated=31731 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=SA-WA1016003-admingroup1,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=ST-stormng5m-admingroup1,OU=ESM,OU=Stage,DC=attackrange,DC=local|CN=MA-mar-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.726 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=VAUGHN_CHANDLER@attackrange.local name=VAUGHN_CHANDLER displayName=VAUGHN_CHANDLER distinguishedName=CN=VAUGHN_CHANDLER,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=attackrange,DC=local sn=VAUGHN_CHANDLER cn=VAUGHN_CHANDLER Object Details: sAMAccountType=805306368 sAMAccountName=VAUGHN_CHANDLER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2196 primaryGroupID=513 pwdLastSet=09:53.23 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=87a21a52-3240-4c2f-b71e-404c12b257c1 whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:53.23 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82091 uSNCreated=24558 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z managedObjects=CN=VA-sil-distlist1,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=attackrange,DC=local memberOf=CN=KA-morenatea-admingroup1,OU=FIN,OU=Tier 2,DC=attackrange,DC=local|CN=RI-romaomuer-distlist1,OU=Groups,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=DnsUpdateProxy,CN=Users,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:09.710 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=FRANK_CHARLES@attackrange.local name=FRANK_CHARLES displayName=FRANK_CHARLES distinguishedName=CN=FRANK_CHARLES,OU=Testing,DC=attackrange,DC=local sn=FRANK_CHARLES cn=FRANK_CHARLES Object Details: sAMAccountType=805306368 sAMAccountName=FRANK_CHARLES logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2130 primaryGroupID=513 pwdLastSet=09:53.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=f23ff473-ac7f-4b83-bd0c-f7d067ed5f9e whenChanged=07:20.09 PM, Wed 02/21/2024 whenCreated=09:53.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82090 uSNCreated=24094 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=TO-hakim2002-distlist1,OU=Tier 1,OU=Admin,DC=attackrange,DC=local|CN=JE-CHARLIEAN-distlist1,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=attackrange,DC=local|CN=ID-jaumejuan-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=36-qui-distlist1,OU=Groups,OU=ESM,OU=Tier 1,DC=attackrange,DC=local|CN=CO-adi-distlist1,OU=Devices,OU=ITS,OU=Stage,DC=attackrange,DC=local|CN=LA-9mesesjua-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=AN-allisonro-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 410615103150x0708594Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708593Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708592Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local58ec6f8d-01cd-4fa9-88a2-62a15823e3d82b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708591Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled | Get-Random -Count 10 # Loop through each user and disable the account foreach ($user in $randomUsers) { try { Disable-ADAccount -Identity $user.SamAccountName Write-Host "Account disabled for user: $($user.SamAccountName)" } catch { Write-Host "Failed to disable account for user: $($user.SamAccountName)" } } # Output the users whose accounts were disabled Write-Host "Disabled accounts for the following users:" $randomUsers | Select-Object SamAccountName 58ec6f8d-01cd-4fa9-88a2-62a15823e3d8 410615103150x0708590Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708589Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708588Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbffe99e7-895a-452c-8512-051d3355296d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708587Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708586Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb89c8af9-c403-45fb-b304-71636da113242b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708585Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localbffe99e7-895a-452c-8512-051d3355296d2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708584Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11promptbffe99e7-895a-452c-8512-051d3355296d 410615103150x0708583Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708582Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localb9f3b2e9-10e9-4334-8016-5353833bf87b2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410615103150x0708581Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcb2b5d5a-246b-4285-93e2-0eac2ed37ab42b535b4c-a403-4565-9d75-b1fc8c18a9ac 4725001382400x8020000000000000278706Securityar-win-dc.attackrange.localDEIDRE_JUAREZATTACKRANGEATTACKRANGE\DEIDRE_JUAREZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278705Securityar-win-dc.attackrange.local-DEIDRE_JUAREZATTACKRANGEATTACKRANGE\DEIDRE_JUAREZATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278704Securityar-win-dc.attackrange.localAVA_WALKERATTACKRANGEATTACKRANGE\AVA_WALKERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278703Securityar-win-dc.attackrange.local-AVA_WALKERATTACKRANGEATTACKRANGE\AVA_WALKERATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278702Securityar-win-dc.attackrange.localZACHARIAH_COXATTACKRANGEATTACKRANGE\ZACHARIAH_COXATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278701Securityar-win-dc.attackrange.local-ZACHARIAH_COXATTACKRANGEATTACKRANGE\ZACHARIAH_COXATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278700Securityar-win-dc.attackrange.localTOD_BLACKWELLATTACKRANGEATTACKRANGE\TOD_BLACKWELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278699Securityar-win-dc.attackrange.local-TOD_BLACKWELLATTACKRANGEATTACKRANGE\TOD_BLACKWELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278698Securityar-win-dc.attackrange.localEDGARDO_MEADOWSATTACKRANGEATTACKRANGE\EDGARDO_MEADOWSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278697Securityar-win-dc.attackrange.local-EDGARDO_MEADOWSATTACKRANGEATTACKRANGE\EDGARDO_MEADOWSATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278696Securityar-win-dc.attackrange.localKAYE_FITZGERALDATTACKRANGEATTACKRANGE\KAYE_FITZGERALDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278695Securityar-win-dc.attackrange.local-KAYE_FITZGERALDATTACKRANGEATTACKRANGE\KAYE_FITZGERALDATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278694Securityar-win-dc.attackrange.localRUSS_HOUSTONATTACKRANGEATTACKRANGE\RUSS_HOUSTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278693Securityar-win-dc.attackrange.local-RUSS_HOUSTONATTACKRANGEATTACKRANGE\RUSS_HOUSTONATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278692Securityar-win-dc.attackrange.localRACHAEL_JUSTICEATTACKRANGEATTACKRANGE\RACHAEL_JUSTICEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278691Securityar-win-dc.attackrange.local-RACHAEL_JUSTICEATTACKRANGEATTACKRANGE\RACHAEL_JUSTICEATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100100x10011 %%2080--- 4725001382400x8020000000000000278690Securityar-win-dc.attackrange.localALICIA_AVERYATTACKRANGEATTACKRANGE\ALICIA_AVERYATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278689Securityar-win-dc.attackrange.local-ALICIA_AVERYATTACKRANGEATTACKRANGE\ALICIA_AVERYATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 4725001382400x8020000000000000278688Securityar-win-dc.attackrange.localROD_RUSSELLATTACKRANGEATTACKRANGE\ROD_RUSSELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1 4738001382400x8020000000000000278687Securityar-win-dc.attackrange.local-ROD_RUSSELLATTACKRANGEATTACKRANGE\ROD_RUSSELLATTACKRANGE\AdministratorAdministratorATTACKRANGE0x592d1-------------0x100x11 %%2080--- 02/21/2024 19:20:03.568 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DEIDRE_JUAREZ@attackrange.local name=DEIDRE_JUAREZ displayName=DEIDRE_JUAREZ distinguishedName=CN=DEIDRE_JUAREZ,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=DEIDRE_JUAREZ cn=DEIDRE_JUAREZ Object Details: sAMAccountType=805306368 sAMAccountName=DEIDRE_JUAREZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3161 primaryGroupID=513 pwdLastSet=09:56.44 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=2b1d8a02-56e3-44d9-88a2-a55041555e37 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.44 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82089 uSNCreated=31338 instanceType=4 Additional Details: dSCorePropagationData=20240220223647.0Z|20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|16010714042432.0Z adminCount=1 memberOf=CN=Domain Admins,CN=Users,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.458 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=DEIDRE_JUAREZ@attackrange.local name=DEIDRE_JUAREZ displayName=DEIDRE_JUAREZ distinguishedName=CN=DEIDRE_JUAREZ,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=DEIDRE_JUAREZ cn=DEIDRE_JUAREZ Object Details: sAMAccountType=805306368 sAMAccountName=DEIDRE_JUAREZ logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3161 primaryGroupID=513 pwdLastSet=09:56.44 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=2b1d8a02-56e3-44d9-88a2-a55041555e37 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.44 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82089 uSNCreated=31338 instanceType=4 Additional Details: dSCorePropagationData=20240220223647.0Z|20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|16010714042432.0Z adminCount=1 memberOf=CN=Domain Admins,CN=Users,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.522 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=AVA_WALKER@attackrange.local name=AVA_WALKER displayName=AVA_WALKER distinguishedName=CN=AVA_WALKER,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=AVA_WALKER cn=AVA_WALKER Object Details: sAMAccountType=805306368 sAMAccountName=AVA_WALKER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1253 primaryGroupID=513 pwdLastSet=09:49.44 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4de6eeac-f851-4ef7-a79d-fe7cdd4b1fa7 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:49.44 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82088 uSNCreated=17928 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.427 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=AVA_WALKER@attackrange.local name=AVA_WALKER displayName=AVA_WALKER distinguishedName=CN=AVA_WALKER,OU=Test,OU=FIN,OU=Tier 2,DC=attackrange,DC=local sn=AVA_WALKER cn=AVA_WALKER Object Details: sAMAccountType=805306368 sAMAccountName=AVA_WALKER logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1253 primaryGroupID=513 pwdLastSet=09:49.44 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4de6eeac-f851-4ef7-a79d-fe7cdd4b1fa7 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:49.44 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82088 uSNCreated=17928 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.380 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ZACHARIAH_COX@attackrange.local name=ZACHARIAH_COX displayName=ZACHARIAH_COX distinguishedName=CN=ZACHARIAH_COX,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local sn=ZACHARIAH_COX cn=ZACHARIAH_COX Object Details: sAMAccountType=805306368 sAMAccountName=ZACHARIAH_COX logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1416 primaryGroupID=513 pwdLastSet=09:50.24 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=b7cb57ef-305d-4cd7-8bf6-17c1386fcecc whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:50.24 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82087 uSNCreated=19076 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=IR-escorpion-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=35-123-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=GL-baripochu-admingroup1,OU=Test,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Cho-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=AL-SANFELIPE-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.473 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ZACHARIAH_COX@attackrange.local name=ZACHARIAH_COX displayName=ZACHARIAH_COX distinguishedName=CN=ZACHARIAH_COX,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local sn=ZACHARIAH_COX cn=ZACHARIAH_COX Object Details: sAMAccountType=805306368 sAMAccountName=ZACHARIAH_COX logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1416 primaryGroupID=513 pwdLastSet=09:50.24 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=b7cb57ef-305d-4cd7-8bf6-17c1386fcecc whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:50.24 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82087 uSNCreated=19076 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714223649.0Z memberOf=CN=IR-escorpion-distlist1,OU=ServiceAccounts,OU=AWS,OU=Tier 1,DC=attackrange,DC=local|CN=VI-eug-distlist1,OU=FSR,OU=Tier 1,DC=attackrange,DC=local|CN=AM-ricardito-distlist1,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=attackrange,DC=local|CN=MA-118-distlist1,OU=Stage,DC=attackrange,DC=local|CN=35-123-distlist1,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=GL-baripochu-admingroup1,OU=Test,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-Cho-distlist1,OU=ServiceAccounts,OU=BDE,OU=Tier 1,DC=attackrange,DC=local|CN=AL-SANFELIPE-distlist1,OU=T0-Accounts,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=LA-shadow619-admingroup1,OU=Devices,OU=GOO,OU=Tier 2,DC=attackrange,DC=local|CN=41-romera3ma-distlist1,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=ED-1305arthu-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.426 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=TOD_BLACKWELL@attackrange.local name=TOD_BLACKWELL displayName=TOD_BLACKWELL distinguishedName=CN=TOD_BLACKWELL,OU=ServiceAccounts,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=TOD_BLACKWELL cn=TOD_BLACKWELL Object Details: sAMAccountType=805306368 sAMAccountName=TOD_BLACKWELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3588 primaryGroupID=513 pwdLastSet=09:58.11 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=3817c95b-b373-4dc9-bedb-d208fa286993 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:58.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82086 uSNCreated=34342 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=CA-peneenorm-admingroup1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=AL-lobosam97-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tim-admingroup1,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.395 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=EDGARDO_MEADOWS@attackrange.local name=EDGARDO_MEADOWS displayName=EDGARDO_MEADOWS distinguishedName=CN=EDGARDO_MEADOWS,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=EDGARDO_MEADOWS cn=EDGARDO_MEADOWS Object Details: sAMAccountType=805306368 sAMAccountName=EDGARDO_MEADOWS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3067 primaryGroupID=513 pwdLastSet=09:56.26 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=231c97d4-c297-4c41-b0a8-5250a4d32559 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82085 uSNCreated=30679 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z managedObjects=CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ED-bal-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=GL-baripochu-admingroup1,OU=Test,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=KI-gra-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.364 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KAYE_FITZGERALD@attackrange.local name=KAYE_FITZGERALD displayName=KAYE_FITZGERALD distinguishedName=CN=KAYE_FITZGERALD,OU=TST,OU=Stage,DC=attackrange,DC=local sn=KAYE_FITZGERALD cn=KAYE_FITZGERALD Object Details: sAMAccountType=805306368 sAMAccountName=KAYE_FITZGERALD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1592 primaryGroupID=513 pwdLastSet=09:51.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=6ea4b57c-caa3-44de-bc22-9e9d6f9fb93b whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:51.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82084 uSNCreated=20313 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.317 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RUSS_HOUSTON@attackrange.local name=RUSS_HOUSTON displayName=RUSS_HOUSTON distinguishedName=CN=RUSS_HOUSTON,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=RUSS_HOUSTON cn=RUSS_HOUSTON Object Details: sAMAccountType=805306368 sAMAccountName=RUSS_HOUSTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3205 primaryGroupID=513 pwdLastSet=09:56.52 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=9a394b9f-8e95-4307-925a-6cc6ef18a934 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.52 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82083 uSNCreated=31647 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223233.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.270 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RACHAEL_JUSTICE@attackrange.local name=RACHAEL_JUSTICE displayName=RACHAEL_JUSTICE distinguishedName=CN=RACHAEL_JUSTICE,OU=Devices,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=RACHAEL_JUSTICE cn=RACHAEL_JUSTICE Object Details: sAMAccountType=805306368 sAMAccountName=RACHAEL_JUSTICE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2079 primaryGroupID=513 pwdLastSet=09:52.56 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=98c0fee5-481b-459a-9d20-b5b16c9ede7a whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:52.56 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82082 uSNCreated=23737 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=FR-cav-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=RI-asc-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=NA-pay-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.223 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALICIA_AVERY@attackrange.local name=ALICIA_AVERY displayName=ALICIA_AVERY distinguishedName=CN=ALICIA_AVERY,OU=Test,OU=TST,OU=Tier 1,DC=attackrange,DC=local sn=ALICIA_AVERY cn=ALICIA_AVERY Object Details: sAMAccountType=805306368 sAMAccountName=ALICIA_AVERY logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1906 primaryGroupID=513 pwdLastSet=09:52.18 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4018815c-25a5-4710-92e0-74388bd83bea whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:52.18 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82081 uSNCreated=22523 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BA-Lis-admingroup1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=MI-ata-distlist1,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ST-oscar1904-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=HI-nov-distlist1,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=OD-4ke-admingroup1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.176 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROD_RUSSELL@attackrange.local name=ROD_RUSSELL displayName=ROD_RUSSELL distinguishedName=CN=ROD_RUSSELL,OU=Devices,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=ROD_RUSSELL cn=ROD_RUSSELL Object Details: sAMAccountType=805306368 sAMAccountName=ROD_RUSSELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3103 primaryGroupID=513 pwdLastSet=09:56.33 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8a88b27e-2d88-41b6-a902-95b11e267dba whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.33 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82080 uSNCreated=30932 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=GU-2.9-distlist1,OU=T0-Servers,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=MA-alf-admingroup1,OU=Groups,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=JA-arschloch-distlist1,OU=Domain Controllers,DC=attackrange,DC=local|CN=BI-joseoscar-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.330 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=TOD_BLACKWELL@attackrange.local name=TOD_BLACKWELL displayName=TOD_BLACKWELL distinguishedName=CN=TOD_BLACKWELL,OU=ServiceAccounts,OU=HRE,OU=Tier 1,DC=attackrange,DC=local sn=TOD_BLACKWELL cn=TOD_BLACKWELL Object Details: sAMAccountType=805306368 sAMAccountName=TOD_BLACKWELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3588 primaryGroupID=513 pwdLastSet=09:58.11 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=3817c95b-b373-4dc9-bedb-d208fa286993 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:58.10 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82086 uSNCreated=34342 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220327.0Z|16010714042433.0Z memberOf=CN=CA-peneenorm-admingroup1,OU=HRE,OU=Stage,DC=attackrange,DC=local|CN=AL-lobosam97-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=CO-aideeygab-admingroup1,OU=Devices,OU=ESM,OU=Tier 2,DC=attackrange,DC=local|CN=JE-tim-admingroup1,OU=Groups,OU=TST,OU=Stage,DC=attackrange,DC=local|CN=CL-tar-distlist1,OU=Test,OU=OGC,OU=Tier 2,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.282 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=EDGARDO_MEADOWS@attackrange.local name=EDGARDO_MEADOWS displayName=EDGARDO_MEADOWS distinguishedName=CN=EDGARDO_MEADOWS,OU=Devices,OU=ESM,OU=Tier 1,DC=attackrange,DC=local sn=EDGARDO_MEADOWS cn=EDGARDO_MEADOWS Object Details: sAMAccountType=805306368 sAMAccountName=EDGARDO_MEADOWS logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3067 primaryGroupID=513 pwdLastSet=09:56.26 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=231c97d4-c297-4c41-b0a8-5250a4d32559 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.26 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82085 uSNCreated=30679 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220328.0Z|20240220220327.0Z|16010714223649.0Z managedObjects=CN=ED-fulanitaa-distlist1,OU=Devices,OU=FIN,OU=Stage,DC=attackrange,DC=local|CN=ED-bal-distlist1,OU=Devices,OU=FSR,OU=Stage,DC=attackrange,DC=local memberOf=CN=IM-pulgoso26-distlist1,OU=ServiceAccounts,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=GL-baripochu-admingroup1,OU=Test,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=KI-gra-distlist1,OU=FIN,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.251 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=KAYE_FITZGERALD@attackrange.local name=KAYE_FITZGERALD displayName=KAYE_FITZGERALD distinguishedName=CN=KAYE_FITZGERALD,OU=TST,OU=Stage,DC=attackrange,DC=local sn=KAYE_FITZGERALD cn=KAYE_FITZGERALD Object Details: sAMAccountType=805306368 sAMAccountName=KAYE_FITZGERALD logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1592 primaryGroupID=513 pwdLastSet=09:51.08 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=6ea4b57c-caa3-44de-bc22-9e9d6f9fb93b whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:51.08 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82084 uSNCreated=20313 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|20240220220325.0Z|16010714223649.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.219 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RUSS_HOUSTON@attackrange.local name=RUSS_HOUSTON displayName=RUSS_HOUSTON distinguishedName=CN=RUSS_HOUSTON,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=attackrange,DC=local sn=RUSS_HOUSTON cn=RUSS_HOUSTON Object Details: sAMAccountType=805306368 sAMAccountName=RUSS_HOUSTON logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3205 primaryGroupID=513 pwdLastSet=09:56.52 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=9a394b9f-8e95-4307-925a-6cc6ef18a934 whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.52 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82083 uSNCreated=31647 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220327.0Z|16010714223233.0Z description=Created with secframe.com/badblood. 02/21/2024 19:20:03.157 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=RACHAEL_JUSTICE@attackrange.local name=RACHAEL_JUSTICE displayName=RACHAEL_JUSTICE distinguishedName=CN=RACHAEL_JUSTICE,OU=Devices,OU=FSR,OU=Tier 2,DC=attackrange,DC=local sn=RACHAEL_JUSTICE cn=RACHAEL_JUSTICE Object Details: sAMAccountType=805306368 sAMAccountName=RACHAEL_JUSTICE logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-2079 primaryGroupID=513 pwdLastSet=09:52.56 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=4194818 objectGUID=98c0fee5-481b-459a-9d20-b5b16c9ede7a whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:52.56 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82082 uSNCreated=23737 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|16010714223649.0Z memberOf=CN=FR-cav-distlist1,OU=SEC,OU=Stage,DC=attackrange,DC=local|CN=RI-asc-distlist1,OU=Groups,OU=ITS,OU=Tier 1,DC=attackrange,DC=local|CN=NA-pay-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.121 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ALICIA_AVERY@attackrange.local name=ALICIA_AVERY displayName=ALICIA_AVERY distinguishedName=CN=ALICIA_AVERY,OU=Test,OU=TST,OU=Tier 1,DC=attackrange,DC=local sn=ALICIA_AVERY cn=ALICIA_AVERY Object Details: sAMAccountType=805306368 sAMAccountName=ALICIA_AVERY logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-1906 primaryGroupID=513 pwdLastSet=09:52.18 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=4018815c-25a5-4710-92e0-74388bd83bea whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:52.18 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82081 uSNCreated=22523 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220327.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=BA-Lis-admingroup1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=MI-ata-distlist1,OU=OGC,OU=Stage,DC=attackrange,DC=local|CN=ST-oscar1904-distlist1,OU=BDE,OU=Stage,DC=attackrange,DC=local|CN=DE-mar-distlist1,OU=SEC,OU=Tier 2,DC=attackrange,DC=local|CN=MA-920-distlist1,OU=Deprovisioned,OU=People,DC=attackrange,DC=local|CN=HI-nov-distlist1,OU=Test,OU=GOO,OU=Tier 1,DC=attackrange,DC=local|CN=OD-4ke-admingroup1,OU=Test,OU=HRE,OU=Stage,DC=attackrange,DC=local description=Created with secframe.com/badblood. 02/21/2024 19:20:03.074 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=attackrange,DC=local userPrincipalName=ROD_RUSSELL@attackrange.local name=ROD_RUSSELL displayName=ROD_RUSSELL distinguishedName=CN=ROD_RUSSELL,OU=Devices,OU=AZR,OU=Stage,DC=attackrange,DC=local sn=ROD_RUSSELL cn=ROD_RUSSELL Object Details: sAMAccountType=805306368 sAMAccountName=ROD_RUSSELL logonCount=0 accountExpires=Never Expires objectSid=S-1-5-21-2851375338-1978525053-2422663219-3103 primaryGroupID=513 pwdLastSet=09:56.33 PM, Tue 02/20/2024 lastLogon=0 lastLogoff=0 badPasswordTime=0 countryCode=0 codePage=0 badPwdCount=0 userAccountControl=514 objectGUID=8a88b27e-2d88-41b6-a902-95b11e267dba whenChanged=07:20.03 PM, Wed 02/21/2024 whenCreated=09:56.33 PM, Tue 02/20/2024 objectClass=top|person|organizationalPerson|user Event Details: uSNChanged=82080 uSNCreated=30932 instanceType=4 Additional Details: dSCorePropagationData=20240220220329.0Z|20240220220328.0Z|20240220220326.0Z|20240220220325.0Z|16010714223649.0Z memberOf=CN=GU-2.9-distlist1,OU=T0-Servers,OU=Tier 0,OU=Admin,DC=attackrange,DC=local|CN=MA-alf-admingroup1,OU=Groups,OU=ITS,OU=Tier 2,DC=attackrange,DC=local|CN=JA-arschloch-distlist1,OU=Domain Controllers,DC=attackrange,DC=local|CN=BI-joseoscar-distlist1,OU=Test,OU=AZR,OU=Tier 2,DC=attackrange,DC=local|CN=NO-sab-distlist1,OU=Devices,OU=BDE,OU=Tier 2,DC=attackrange,DC=local|CN=TI-1154talis-admingroup1,OU=GOO,OU=People,DC=attackrange,DC=local|CN=LA-amoadrake-admingroup1,OU=OGC,OU=Tier 2,DC=attackrange,DC=local|CN=41-ACUARIO22-distlist1,OU=BDE,OU=Tier 1,DC=attackrange,DC=local description=Created with secframe.com/badblood. 4627001255400x8020000000000000278686Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x308c35311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278685Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x308c353KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::149408%%1833---%%18430x0%%1842 4672001254800x8020000000000000278684Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x308c35SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000278683Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3077eb3 410615103150x0708580Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708579Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local2efb8b96-ee36-40d2-8eae-26b227b21fad2b535b4c-a403-4565-9d75-b1fc8c18a9ac 410515102150x0708578Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.localcb2b5d5a-246b-4285-93e2-0eac2ed37ab42b535b4c-a403-4565-9d75-b1fc8c18a9ac 4104152150x0708577Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local11# Import Active Directory module Import-Module ActiveDirectory # Get 10 random user accounts $randomUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties Enabled | Get-Random -Count 10 # Loop through each user and disable the account foreach ($user in $randomUsers) { try { Disable-ADAccount -Identity $user.SamAccountName Write-Host "Account disabled for user: $($user.SamAccountName)" } catch { Write-Host "Failed to disable account for user: $($user.SamAccountName)" } } # Output the users whose accounts were disabled Write-Host "Disabled accounts for the following users:" $randomUsers | Select-Object SamAccountName cb2b5d5a-246b-4285-93e2-0eac2ed37ab4 410615103150x0708576Microsoft-Windows-PowerShell/Operationalar-win-dc.attackrange.local7ec19624-1d1b-4ee4-8628-108f3cd12dcf2b535b4c-a403-4565-9d75-b1fc8c18a9ac 4627001255400x8020000000000000278682Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-2851375338-1978525053-2422663219-1008AR-WIN-DC$ATTACKRANGE.LOCAL0x307fb7311 ATTACKRANGE\Domain Controllers %{S-1-1-0} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\DA-cho-distlist1 %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group NT AUTHORITY\NETWORK SERVICE Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278681Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE.LOCAL0x307fb73KerberosKerberos-{7a7c9e71-b2c3-e44e-0e0d-b2ab127d7d5a}--00x0---%%1840---%%18430x0%%1842 4672001254800x8020000000000000278680Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE0x307fb7SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 5140101280800x8020000000000000278679Securityar-win-dc.attackrange.localNT AUTHORITY\NETWORK SERVICEAR-WIN-DC$ATTACKRANGE0x3e4Filefe80::2c4d:3504:6979:e6f250202\\*\IPC$0x1%%4416 5140101280800x8020000000000000278678Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3077ebFilefe80::2c4d:3504:6979:e6f250201\\*\SYSVOL\??\C:\Windows\SYSVOL\sysvol0x1%%4416 5140101280800x8020000000000000278677Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3077ebFilefe80::2c4d:3504:6979:e6f250201\\*\IPC$0x1%%4416 4627001255400x8020000000000000278676Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x3077eb311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278675Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x3077eb3KerberosKerberos-{bf77338b-1ba9-4b3c-442e-31e2b3bbd0d6}--00x0-fe80::2c4d:3504:6979:e6f250201%%1840---%%18430x0%%1842 4672001254800x8020000000000000278674Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3077ebSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000278673Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x306dad3 4627001255400x8020000000000000278672Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x306dad311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2851375338-1978525053-2422663219-4094} ATTACKRANGE\Domain Controllers %{S-1-5-21-2851375338-1978525053-2422663219-4031} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000278671Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x306dad3KerberosKerberos-{f3646241-c5f1-555e-7d32-07ccc4d309fd}--00x0-::150199%%1833---%%18430x0%%1842 4672001254800x8020000000000000278670Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x306dadSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4689001331300x8020000000000000427547Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x3d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 154100x800000000000000043249Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:19:21.839{501DA29B-4CB9-65D6-5104-000000004903}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427546Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x3d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045522Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:19:21.138{0b642d80-4cb9-65d6-9c04-00000000be02}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=056A3A318008FF93D6951CA5561B052F,SHA256=9FCD6D853054A359FDAB4CE80E110DEF60EA62DBE7EA90DCBA0FC0F778D0C4E7,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278669Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x2ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000278668Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x2ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427545Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000427544Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043248Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:19:21.089{501DA29B-4CB9-65D6-5004-000000004903}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278667Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000427543Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x13c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000427542Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x13c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043247Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:19:20.339{501DA29B-4CB8-65D6-4F04-000000004903}5060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000045521Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:19:20.387{0b642d80-4cb8-65d6-9b04-00000000be02}1380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000278666Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045520Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:19:19.635{0b642d80-4cb7-65d6-9a04-00000000be02}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278665Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x4acC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000278664Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x4acC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000043246Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:19:19.601{501DA29B-4CB7-65D6-4E04-000000004903}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000427541Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x9b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000427540Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x9b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000427539Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x137cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000278663Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xdccC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 154100x800000000000000043245Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2024-02-21 19:19:18.839{501DA29B-4CB6-65D6-4D04-000000004903}4988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{501DA29B-29AE-65D6-E703-000000000000}0x3e70SystemMD5=5D35E9914422D9C706AFE92A26C18BA4,SHA256=A6A74EBF5C9B5AEBFE110416C8E96078AFBCC4582B3F200DABB7353946A5A7F6,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{501DA29B-29B0-65D6-1E00-000000004903}2008C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4688201331200x8020000000000000427538Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x137cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d8"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000278662Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xdccC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000278661Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1194C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000278660Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1194C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xc20"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000045519Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:19:18.885{0b642d80-4cb6-65d6-9904-00000000be02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=513972A5A10DC2984285F0B15171C10E,SHA256=B025CC16487F6B5B1D63E7080172856F56A669764AF01CCE8C06B4CFDECCD682,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 154100x800000000000000045518Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2024-02-21 19:19:18.135{0b642d80-4cb6-65d6-9804-00000000be02}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0b642d80-29ad-65d6-e703-000000000000}0x3e70SystemMD5=A434E761D405DDC4EC4411D69D80BAAB,SHA256=DC09085E78020D3044660ED762A8FDBEA00FD859B4EADBE92F8725A9A654F294,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{0b642d80-29c0-65d6-4e00-00000000be02}3104C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceNT AUTHORITY\SYSTEM 4689001331300x8020000000000000278659Securityar-win-dc.attackrange.localNT AUTHORITY\NETWORK SERVICEAR-WIN-DC$ATTACKRANGE0x3e40x00x1498C:\Windows\System32\wbem\WmiPrvSE.exe 4673001305700x8010000000000000278658Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 4673001305700x8010000000000000278657Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe 4673001305700x8010000000000000278656Securityar-win-dc.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x54cC:\Windows\System32\svchost.exe