04/20/2021 08:31:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305519 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc88 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:31:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305518 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc88 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305517 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x6a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:31:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305516 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x6a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305521 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x7dc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 04/20/2021 08:31:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305520 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305525 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1404 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 04/20/2021 08:31:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305524 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1404 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305523 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 04/20/2021 08:31:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305522 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305528 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 04/20/2021 08:31:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305527 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:31:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305532 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x12e8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 04/20/2021 08:31:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305530 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12e8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305545 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1608 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 04/20/2021 08:32:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305544 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1608 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305543 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14a0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:32:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305542 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14a0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305547 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc70 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 04/20/2021 08:32:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305546 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc70 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305552 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x820 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 04/20/2021 08:32:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305551 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x820 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305550 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xac Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 04/20/2021 08:32:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305548 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305554 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x4dc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:32:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305553 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x4dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305557 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17cc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:32:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305558 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17cc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 04/20/2021 08:33:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305572 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11bc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:33:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305571 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305570 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x96c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 04/20/2021 08:33:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305569 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x96c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305574 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x7dc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 04/20/2021 08:33:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305573 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305578 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x8fc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 04/20/2021 08:33:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305577 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305576 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1028 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 04/20/2021 08:33:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305575 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1028 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305580 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc8c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:33:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305579 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc8c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305583 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1678 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:33:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305584 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1678 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 04/20/2021 08:34:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305598 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x143c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:34:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305597 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x143c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305596 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1194 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:34:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305595 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1194 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305600 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc2c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 04/20/2021 08:34:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305599 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc2c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305605 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc1c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 04/20/2021 08:34:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305604 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc1c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305603 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x12f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 04/20/2021 08:34:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305602 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305607 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1468 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 04/20/2021 08:34:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305606 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1468 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305610 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf94 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:34:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305611 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xf94 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 04/20/2021 08:35:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305625 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x145c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 04/20/2021 08:35:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305624 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x145c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305623 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x62c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:35:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305621 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x62c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305627 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x136c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 04/20/2021 08:35:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305626 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x136c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305632 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xd38 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 04/20/2021 08:35:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305631 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xd38 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305630 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1028 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 04/20/2021 08:35:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305628 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1028 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305635 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1770 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 04/20/2021 08:35:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305634 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1770 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4673 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Sensitive Privilege Use OpCode=Info RecordNumber=1305633 Keywords=Audit Failure Message=A privileged service was called. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1C4A Service: Server: Security Service Name: - Process: Process ID: 0x17c8 Process Name: C:\Windows\explorer.exe Service Request Information: Privileges: SeTcbPrivilege 04/20/2021 08:35:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305639 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x12c0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 04/20/2021 08:35:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305638 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-816$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x12c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x1328 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1305642 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14b0 New Process Name: C:\PurpleSharp.exe Token Elevation Type: %%1937 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xb40 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\PurpleSharp.exe" /pb .\pb_local_spraying_1.json Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1305711 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Process Information: Process ID: 0x14b0 Process Name: C:\PurpleSharp.exe Exit Status: 0x0 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305710 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: VINCENT_OLSON Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305707 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: HUMBERTO_HOLDEN Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305704 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: MEL_MUELLER Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305701 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: DARRYL_MEDINA Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305698 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: BRICE_PUGH Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305695 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: RENE_REYNOLDS Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305692 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: CHERI_SIMPSON Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305689 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: HANK_WHITEHEAD Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305686 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: VAUGHN_STANLEY Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305683 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: LENARD_CARROLL Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305680 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: WELDON_CHURCH Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305677 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: 2036485924SA Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305674 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: JUDSON_HICKS Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305671 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: 6049815500SA Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305668 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: DONNA_JARVIS Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305665 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: STACIE_COOKE Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305662 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: REBEKAH_HAMMOND Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305659 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: LORRIE_MOSES Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305656 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: BOB_KIRBY Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 04/20/2021 08:35:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4625 EventType=0 Type=Information ComputerName=win-host-816.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1305653 Keywords=Audit Failure Message=An account failed to log on. Subject: Security ID: ATTACKRANGE\REED_FERNANDEZ Account Name: reed_fernandez Account Domain: ATTACKRANGE Logon ID: 0x2B1AE6 Logon Type: 2 Account For Which Logon Failed: Security ID: NULL SID Account Name: 4543759170SA Account Domain: attackrange.local Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x14b0 Caller Process Name: C:\PurpleSharp.exe Network Information: Workstation Name: WIN-HOST-816 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.