154100x800000000000000014598Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:40.214{54d3457e-a6c4-641c-d006-000000004602}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200289Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86b6f23 4624201254400x8020000000000000200288Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x86b6f23KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::161549%%1833---%%18430x0%%1842 4672001254800x8020000000000000200287Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86b6f2SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012472Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:21:39.719{8FCC9F6C-A6C3-641C-8306-00000000D302}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014220Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:21:39.383{0F843AFE-A6C3-641C-8306-00000000D302}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012471Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:21:38.968{8FCC9F6C-A6C2-641C-8206-00000000D302}2676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012633Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:37.545{94bfb0cf-a6c1-641c-ca06-000000004702}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 703604000x8080000000000000119906Systemar-win-dc.attackrange.localNetwork Setup Servicestopped4E0065007400530065007400750070005300760063002F0031000000 154100x800000000000000014597Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:37.113{54d3457e-a6c1-641c-cf06-000000004602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012632Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:36.785{94bfb0cf-a6c0-641c-c906-000000004702}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012631Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:36.036{94bfb0cf-a6c0-641c-c806-000000004702}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014596Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:36.362{54d3457e-a6c0-641c-ce06-000000004602}4260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012480Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:21:36.394{9792FEB4-A6C0-641C-8506-00000000D302}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013134Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:21:36.371{C9DE9129-A6C0-641C-C406-00000000D302}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012479Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:21:35.646{9792FEB4-A6BF-641C-8406-00000000D302}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012630Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:35.275{94bfb0cf-a6bf-641c-c706-000000004702}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013133Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:21:35.592{C9DE9129-A6BF-641C-C306-00000000D302}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014595Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:35.149{54d3457e-a6bf-641c-cd06-000000004602}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012629Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:34.513{94bfb0cf-a6be-641c-c606-000000004702}2104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014594Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:34.247{54d3457e-a6be-641c-cc06-000000004602}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012501Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:21:32.351{E6E25EEE-A6BC-641C-8406-00000000D302}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 703604000x8080000000000000119905Systemar-win-dc.attackrange.localNetwork Setup Servicerunning4E0065007400530065007400750070005300760063002F0034000000 4672001254800x8020000000000000200281Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4624201254400x8020000000000000200280Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x264C:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 154100x800000000000000014593Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:21:32.659{54d3457e-a6bc-641c-cb06-000000004602}4940C:\Windows\System32\svchost.exe10.0.17763.3346 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcC:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=4DD18F001AC31D5F48F50F99E4AA1761,SHA256=2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69{00000000-0000-0000-0000-000000000000}612--- 154100x800000000000000012500Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:21:31.846{CAB910BF-A6BB-641C-8206-00000000D302}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012462Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:21:30.048{B5208300-A6BA-641C-8206-00000000D302}2832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012619Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:25.657{8fd3d7d2-a6b5-641c-cd06-000000004702}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012618Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:24.540{8fd3d7d2-a6b4-641c-cc06-000000004702}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012617Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:23.607{8fd3d7d2-a6b3-641c-cb06-000000004702}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012616Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:22.063{8fd3d7d2-a6b2-641c-ca06-000000004702}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012615Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:21.311{8fd3d7d2-a6b1-641c-c906-000000004702}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 703604000x8080000000000000119818Systemar-win-10.attackrange.localNetwork Setup Servicestopped4E0065007400530065007400750070005300760063002F0031000000 7300x8000000000000027977Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:14.2603807Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:16Z"} 7300x8000000000000027976Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"1000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:14.2573705Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:16Z"} 7300x8000000000000027975Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"2216","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:13.966325Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:16Z"} 154100x800000000000000014219Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:21:16.734{0F843AFE-A6AC-641C-8206-00000000D302}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 4634001254500x8020000000000000200279Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-9$AR-WIN-9$ATTACKRANGE0x866f793 154100x800000000000000014218Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:21:15.934{0F843AFE-A6AB-641C-8106-00000000D302}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 4670001357000x8020000000000000141727Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e7SecurityToken-0x7b8D:(A;;GA;;;SY)(A;;RCGXGR;;;BA)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-3290392786-819420393-1694314755-3737624005-3552167228)0x260C:\Windows\System32\services.exe 4672001254800x8020000000000000141726Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000141725Securityar-win-10.attackrange.localS-1-5-18AR-WIN-10$ATTACKRANGE0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e7511 BUILTIN\Administrators Everyone NT AUTHORITY\Authenticated Users Mandatory Label\System Mandatory Level 4624201254400x8020000000000000141724Securityar-win-10.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-10$ATTACKRANGE0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x260C:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 154100x800000000000000012614Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:21:14.301{8fd3d7d2-a6aa-641c-c806-000000004702}1184C:\Windows\System32\svchost.exe10.0.17763.3346 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcC:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=4DD18F001AC31D5F48F50F99E4AA1761,SHA256=2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69{00000000-0000-0000-0000-000000000000}608--- 703604000x8080000000000000119817Systemar-win-10.attackrange.localNetwork Setup Servicerunning4E0065007400530065007400750070005300760063002F0034000000 154100x800000000000000012470Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:21:14.626{8FCC9F6C-A6AA-641C-8106-00000000D302}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014217Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:21:14.167{0F843AFE-A6AA-641C-8006-00000000D302}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028013Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3524","Execution_ThreadID":"4028","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3524","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.6461616Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:13Z"} 7300x8000000000000028012Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3524","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3524","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.6457106Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:13Z"} 7300x8000000000000028011Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB77890000","EventID":"5","Execution_ProcessID":"3524","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB77890000","ImageCheckSum":"149968","ImageLoaded":"\\Windows\\System32\\srvcli.dll","ImageName":"\\Windows\\System32\\srvcli.dll","ImageSize":"0x26000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\srvcli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3524","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.4579242Z","TimeDateStamp":"1648872530","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:13Z"} 7300x8000000000000028003Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2388","Execution_ThreadID":"1092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.265286Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:13Z"} 7300x8000000000000028002Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2388","Execution_ThreadID":"1092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.264808Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:13Z"} 154100x800000000000000012469Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:21:12.118{8FCC9F6C-A6A8-641C-8006-00000000D302}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012478Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:21:12.147{9792FEB4-A6A8-641C-8306-00000000D302}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014216Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:21:12.197{0F843AFE-A6A8-641C-7F06-00000000D302}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028001Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2388","Execution_ThreadID":"1500","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:11.1185467Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:12Z"} 154100x800000000000000012468Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:21:11.260{8FCC9F6C-A6A7-641C-7F06-00000000D302}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013132Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:21:10.754{C9DE9129-A6A6-641C-C206-00000000D302}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012500Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:21:09.563{E6E25EEE-A6A5-641C-8306-00000000D302}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000028008Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3136","Execution_ThreadID":"636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:10.3469875Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:09Z"} 7300x8000000000000028007Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3136","Execution_ThreadID":"636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:10.3465161Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:09Z"} 7300x8000000000000028006Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3136","Execution_ThreadID":"3140","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:10.1273375Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:09Z"} 703604000x8080000000000000119794Systemar-win-6.attackrange.localNetwork Setup Servicestopped4E0065007400530065007400750070005300760063002F0031000000 4634001254500x8020000000000000200278Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE0x8662e53 154100x800000000000000012499Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:21:09.321{CAB910BF-A6A5-641C-8106-00000000D302}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012477Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:21:09.028{9792FEB4-A6A5-641C-8206-00000000D302}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012499Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:21:08.803{E6E25EEE-A6A4-641C-8206-00000000D302}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012461Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:21:08.566{B5208300-A6A4-641C-8106-00000000D302}984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012498Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:21:08.564{CAB910BF-A6A4-641C-8006-00000000D302}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012476Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:21:08.265{9792FEB4-A6A4-641C-8106-00000000D302}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013131Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:21:08.603{C9DE9129-A6A4-641C-C106-00000000D302}4932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028129Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4028","Execution_ThreadID":"1824","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4028","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:07.222609Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:08Z"} 7300x8000000000000028128Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4028","Execution_ThreadID":"1824","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4028","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:07.2219996Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:08Z"} 7300x8000000000000028127Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"4028","Execution_ThreadID":"4020","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4028","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:07.0306324Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:08Z"} 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:21:07.807{B5208300-A6A3-641C-8006-00000000D302}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013130Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:21:07.842{C9DE9129-A6A3-641C-C006-00000000D302}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028020Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"3108","Execution_ThreadID":"2808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3108","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:06.5176333Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:07Z"} 7300x8000000000000028019Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"3108","Execution_ThreadID":"2808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3108","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:06.5170611Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:07Z"} 154100x800000000000000012497Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:21:06.720{CAB910BF-A6A2-641C-7F06-00000000D302}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141723Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012498Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:21:05.545{E6E25EEE-A6A1-641C-8106-00000000D302}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027988Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"2012","Execution_ThreadID":"3444","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2012","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:05.9082697Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:05Z"} 7300x8000000000000027987Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"2012","Execution_ThreadID":"3444","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2012","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:05.9076762Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:05Z"} 4634001254500x8020000000000000200277Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-5$AR-WIN-5$ATTACKRANGE0x865e0f3 4673001305600x8010000000000000141133Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012497Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:21:04.712{E6E25EEE-A6A0-641C-8006-00000000D302}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012459Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:21:04.846{B5208300-A6A0-641C-7F06-00000000D302}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012628Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:21:04.095{94bfb0cf-a6a0-641c-c506-000000004702}1420C:\Windows\System32\svchost.exe10.0.17763.3346 (WinBuild.160101.0800)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvcC:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=4DD18F001AC31D5F48F50F99E4AA1761,SHA256=2B105FB153B1BCD619B95028612B3A93C60B953EEF6837D3BB0099E4207AAF6B,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69{00000000-0000-0000-0000-000000000000}608--- 4670001357000x8020000000000000141131Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e7SecurityToken-0x520D:(A;;GA;;;SY)(A;;RCGXGR;;;BA)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-3290392786-819420393-1694314755-3737624005-3552167228)0x260C:\Windows\System32\services.exe 4672001254800x8020000000000000141130Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4627001255400x8020000000000000141129Securityar-win-6.attackrange.localS-1-5-18AR-WIN-6$ATTACKRANGE0x3e7S-1-5-18SYSTEMNT AUTHORITY0x3e7511 BUILTIN\Administrators Everyone NT AUTHORITY\Authenticated Users Mandatory Label\System Mandatory Level 4624201254400x8020000000000000141128Securityar-win-6.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-6$ATTACKRANGE0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x260C:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 703604000x8080000000000000119793Systemar-win-6.attackrange.localNetwork Setup Servicerunning4E0065007400530065007400750070005300760063002F0034000000 4634001254500x8020000000000000200276Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-3$AR-WIN-3$ATTACKRANGE0x865b913 4624201254400x8020000000000000200275Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-9$AR-WIN-9$ATTACKRANGE.LOCAL0x866f793KerberosKerberos-{30c24c8e-1f44-3efa-96c8-685c638bc843}--00x0-10.0.1.2249860%%1840---%%18430x0%%1842 7300x8000000000000028018Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF956F60000","EventID":"5","Execution_ProcessID":"3464","Execution_ThreadID":"3304","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF956F60000","ImageCheckSum":"149968","ImageLoaded":"\\Windows\\System32\\srvcli.dll","ImageName":"\\Windows\\System32\\srvcli.dll","ImageSize":"0x26000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\srvcli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3464","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:02.8180072Z","TimeDateStamp":"1648872530","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:04Z"} 7300x8000000000000027986Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"1952","Execution_ThreadID":"3404","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1952","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:21:03.6597519Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:21:03Z"} 154100x800000000000000012496Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:21:03.206{CAB910BF-A69F-641C-7E06-00000000D302}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012458Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:21:02.767{B5208300-A69E-641C-7E06-00000000D302}1952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141722Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141127Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4624201254400x8020000000000000200274Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-2$AR-WIN-2$ATTACKRANGE.LOCAL0x8662e53KerberosKerberos-{aeda3327-2957-171e-3b6f-a68ee36cdd7b}--00x0-10.0.1.1549846%%1840---%%18430x0%%1842 4624201254400x8020000000000000200273Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-5$AR-WIN-5$ATTACKRANGE.LOCAL0x865e0f3KerberosKerberos-{f064901d-cfc5-8101-bcdd-b62e09a2b913}--00x0-10.0.1.1849868%%1840---%%18430x0%%1842 4624201254400x8020000000000000200272Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-3$AR-WIN-3$ATTACKRANGE.LOCAL0x865b913KerberosKerberos-{c225ff0d-b9f4-0406-015a-dd492171e226}--00x0-10.0.1.1649992%%1840---%%18430x0%%1842 154100x800000000000000014592Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:20:40.205{54d3457e-a688-641c-ca06-000000004602}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200270Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x864a3d3 4624201254400x8020000000000000200269Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x864a3d3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::161548%%1833---%%18430x0%%1842 4672001254800x8020000000000000200268Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x864a3dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012467Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:20:39.719{8FCC9F6C-A687-641C-7E06-00000000D302}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014215Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:20:39.382{0F843AFE-A687-641C-7E06-00000000D302}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012466Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:20:38.955{8FCC9F6C-A686-641C-7D06-00000000D302}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012627Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:20:37.574{94bfb0cf-a685-641c-c406-000000004702}4148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014591Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:20:37.115{54d3457e-a685-641c-c906-000000004602}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012626Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:20:36.815{94bfb0cf-a684-641c-c306-000000004702}4356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012625Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:20:36.061{94bfb0cf-a684-641c-c206-000000004702}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 4634001254500x8020000000000000200266Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-8$AR-WIN-8$ATTACKRANGE0x86205f3 154100x800000000000000014590Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:20:36.364{54d3457e-a684-641c-c806-000000004602}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013129Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:20:36.341{C9DE9129-A684-641C-BF06-00000000D302}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012475Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:20:36.397{9792FEB4-A684-641C-8006-00000000D302}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012624Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:20:35.314{94bfb0cf-a683-641c-c106-000000004702}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013128Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:20:35.581{C9DE9129-A683-641C-BE06-00000000D302}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012474Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:20:35.646{9792FEB4-A683-641C-7F06-00000000D302}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014589Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:20:35.146{54d3457e-a683-641c-c706-000000004602}548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012623Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:20:34.549{94bfb0cf-a682-641c-c006-000000004702}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014588Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:20:34.229{54d3457e-a682-641c-c606-000000004602}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012496Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:20:32.349{E6E25EEE-A680-641C-7F06-00000000D302}696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 4634001254500x8020000000000000200262Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86176c3 154100x800000000000000012495Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:20:31.835{CAB910BF-A67F-641C-7D06-00000000D302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012457Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:20:30.038{B5208300-A67E-641C-7D06-00000000D302}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 4634001254500x8020000000000000200261Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-10$AR-WIN-10$ATTACKRANGE0x8612613 154100x800000000000000012613Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:20:25.665{8fd3d7d2-a679-641c-c706-000000004702}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 4624201254400x8020000000000000200260Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-8$AR-WIN-8$ATTACKRANGE.LOCAL0x86205f3KerberosKerberos-{40ceba85-f515-d283-a93f-a280db01702d}--00x0-10.0.1.2149879%%1840---%%18430x0%%1842 154100x800000000000000012612Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:20:24.539{8fd3d7d2-a678-641c-c606-000000004702}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012611Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:20:23.615{8fd3d7d2-a677-641c-c506-000000004702}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012610Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:20:22.067{8fd3d7d2-a676-641c-c406-000000004702}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012609Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:20:21.317{8fd3d7d2-a675-641c-c306-000000004702}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 4634001254500x8020000000000000200259Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8615be3 4634001254500x8020000000000000200258Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8616cb3 4634001254500x8020000000000000200257Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86171b3 4624201254400x8020000000000000200256Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x86176c3KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-fe80::25f1:ea03:8efd:c46261543%%1840---%%18430x0%%1842 4672001254800x8020000000000000200255Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86176cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200254Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x86171b3KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-10.0.1.1461547%%1833---%%18430x0%%1842 4672001254800x8020000000000000200253Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86171bSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200252Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8616cb3KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000200251Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8616cbSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200250Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8615be3KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-fe80::25f1:ea03:8efd:c46261546%%1833---%%18430x0%%1842 4672001254800x8020000000000000200249Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8615beSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200248Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x86159a3KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-fe80::25f1:ea03:8efd:c46261545%%1833---%%18430x0%%1842 4672001254800x8020000000000000200247Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x86159aSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000200246Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-6$AR-WIN-6$ATTACKRANGE0x8605933 4624201254400x8020000000000000200245Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-10$AR-WIN-10$ATTACKRANGE.LOCAL0x8612613KerberosKerberos-{afdcb5b5-2acb-abb2-6ddf-30d33bfeb9f7}--00x0-10.0.1.2349883%%1840---%%18430x0%%1842 4634001254500x8020000000000000200244Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-4$AR-WIN-4$ATTACKRANGE0x86050c3 154100x800000000000000014214Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:20:16.701{0F843AFE-A670-641C-7D06-00000000D302}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000014213Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:20:15.933{0F843AFE-A66F-641C-7C06-00000000D302}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027974Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"3584","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:12.4693393Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:15Z"} 7300x8000000000000027973Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"3584","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:12.4659965Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:15Z"} 7300x8000000000000027972Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF689E0000","EventID":"5","Execution_ProcessID":"2264","Execution_ThreadID":"3584","ImageBase":"0x7FFF689E0000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2264","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:12.1977022Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:15Z"} 154100x800000000000000012465Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:20:14.618{8FCC9F6C-A66E-641C-7C06-00000000D302}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014212Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:20:14.154{0F843AFE-A66E-641C-7B06-00000000D302}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028010Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3732","Execution_ThreadID":"1344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3732","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.6832881Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 7300x8000000000000028009Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3732","Execution_ThreadID":"1344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3732","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.6820446Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 7300x8000000000000028008Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80B40000","EventID":"5","Execution_ProcessID":"3732","Execution_ThreadID":"3368","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80B40000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3732","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.4422768Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 154100x800000000000000012464Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:20:12.129{8FCC9F6C-A66C-641C-7B06-00000000D302}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4634001254500x8020000000000000200243Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-7$AR-WIN-7$ATTACKRANGE0x85fbe13 154100x800000000000000012473Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:20:12.129{9792FEB4-A66C-641C-7E06-00000000D302}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014211Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:20:12.190{0F843AFE-A66C-641C-7A06-00000000D302}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028000Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2304","Execution_ThreadID":"1292","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2304","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.2894431Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 7300x8000000000000027999Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2304","Execution_ThreadID":"1292","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2304","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.2888689Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 7300x8000000000000027998Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2304","Execution_ThreadID":"672","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2304","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:11.1035879Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:12Z"} 154100x800000000000000012463Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:20:11.249{8FCC9F6C-A66B-641C-7A06-00000000D302}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013127Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:20:10.753{C9DE9129-A66A-641C-BD06-00000000D302}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012495Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:20:09.533{E6E25EEE-A669-641C-7E06-00000000D302}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000028005Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3292","Execution_ThreadID":"2052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3292","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:10.3635462Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:09Z"} 7300x8000000000000028004Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3292","Execution_ThreadID":"2052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3292","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:10.3612229Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:09Z"} 7300x8000000000000028003Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3292","Execution_ThreadID":"1484","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3292","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:10.1167216Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:09Z"} 154100x800000000000000012494Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:20:09.320{CAB910BF-A669-641C-7C06-00000000D302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012472Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:20:09.027{9792FEB4-A669-641C-7D06-00000000D302}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012494Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:20:08.784{E6E25EEE-A668-641C-7D06-00000000D302}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012493Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:20:08.550{CAB910BF-A668-641C-7B06-00000000D302}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012456Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:20:08.566{B5208300-A668-641C-7C06-00000000D302}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4624201254400x8020000000000000200242Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-6$AR-WIN-6$ATTACKRANGE.LOCAL0x8605933KerberosKerberos-{439edf7e-4036-a776-1403-91231b3fb164}--00x0-10.0.1.1949888%%1840---%%18430x0%%1842 154100x800000000000000012471Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:20:08.270{9792FEB4-A668-641C-7C06-00000000D302}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013126Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:20:08.576{C9DE9129-A668-641C-BC06-00000000D302}1788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028126Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"2248","Execution_ThreadID":"3312","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2248","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:07.2577519Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:08Z"} 7300x8000000000000028125Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"2248","Execution_ThreadID":"3312","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2248","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:07.2572718Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:08Z"} 7300x8000000000000028124Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"2248","Execution_ThreadID":"1488","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2248","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:07.0183634Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:08Z"} 154100x800000000000000012455Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:20:07.804{B5208300-A667-641C-7B06-00000000D302}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4624201254400x8020000000000000200241Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-4$AR-WIN-4$ATTACKRANGE.LOCAL0x86050c3KerberosKerberos-{1c56326d-f0e0-b4ef-10fd-b847183dc39b}--00x0-10.0.1.1749843%%1840---%%18430x0%%1842 154100x800000000000000013125Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:20:07.824{C9DE9129-A667-641C-BB06-00000000D302}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028017Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"832","Execution_ThreadID":"3136","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"832","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:06.5575619Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:07Z"} 7300x8000000000000028016Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"832","Execution_ThreadID":"3136","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"832","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:06.5570196Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:07Z"} 7300x8000000000000028015Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"832","Execution_ThreadID":"1168","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"832","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:06.30028Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:07Z"} 154100x800000000000000012492Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:20:06.717{CAB910BF-A666-641C-7A06-00000000D302}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141711Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012493Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:20:05.582{E6E25EEE-A665-641C-7C06-00000000D302}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027985Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"1208","Execution_ThreadID":"3636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1208","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:05.941623Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:05Z"} 7300x8000000000000027984Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"1208","Execution_ThreadID":"3636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1208","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:05.9411663Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:05Z"} 154100x800000000000000012492Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:20:04.709{E6E25EEE-A664-641C-7B06-00000000D302}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012454Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:20:04.840{B5208300-A664-641C-7A06-00000000D302}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141116Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027983Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"3480","Execution_ThreadID":"3288","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3480","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:20:03.6543436Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:20:03Z"} 154100x800000000000000012491Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:20:03.213{CAB910BF-A663-641C-7906-00000000D302}392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012453Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:20:02.761{B5208300-A662-641C-7906-00000000D302}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4624201254400x8020000000000000200240Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-7$AR-WIN-7$ATTACKRANGE.LOCAL0x85fbe13KerberosKerberos-{fb896d96-ddef-8260-fd6a-2075b6e3aa09}--00x0-10.0.1.2049846%%1840---%%18430x0%%1842 4673001305600x8010000000000000141710Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141115Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4634001254500x8020000000000000200239Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85eb843 4624201254400x8020000000000000200238Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x85eb843KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46261542%%1833---%%18430x0%%1842 4672001254800x8020000000000000200237Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85eb84SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000200236Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85ead03 4624201254400x8020000000000000200235Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x85ead03KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46261541%%1833---%%18430x0%%1842 4672001254800x8020000000000000200234Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85ead0SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000014587Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:19:40.188{54d3457e-a64c-641c-c506-000000004602}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200232Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85d9133 4624201254400x8020000000000000200231Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x85d9133KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::161539%%1833---%%18430x0%%1842 4672001254800x8020000000000000200230Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x85d913SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012462Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:19:39.696{8FCC9F6C-A64B-641C-7906-00000000D302}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014210Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:19:39.364{0F843AFE-A64B-641C-7906-00000000D302}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012461Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:19:38.942{8FCC9F6C-A64A-641C-7806-00000000D302}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012622Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:19:37.512{94bfb0cf-a649-641c-bf06-000000004702}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014586Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:19:37.098{54d3457e-a649-641c-c406-000000004602}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012621Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:19:36.851{94bfb0cf-a648-641c-be06-000000004702}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012620Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:19:36.089{94bfb0cf-a648-641c-bd06-000000004702}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014585Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:19:36.345{54d3457e-a648-641c-c306-000000004602}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012470Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:19:36.403{9792FEB4-A648-641C-7B06-00000000D302}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013124Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:19:36.308{C9DE9129-A648-641C-BA06-00000000D302}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012469Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:19:35.644{9792FEB4-A647-641C-7A06-00000000D302}2640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012619Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:19:35.338{94bfb0cf-a647-641c-bc06-000000004702}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013123Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:19:35.562{C9DE9129-A647-641C-B906-00000000D302}4964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014584Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:19:35.137{54d3457e-a647-641c-c206-000000004602}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012618Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:19:34.579{94bfb0cf-a646-641c-bb06-000000004702}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014583Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:19:34.233{54d3457e-a646-641c-c106-000000004602}360C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012491Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:19:32.333{E6E25EEE-A644-641C-7A06-00000000D302}456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012490Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:19:31.817{CAB910BF-A643-641C-7806-00000000D302}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:19:30.023{B5208300-A642-641C-7806-00000000D302}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012608Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:19:25.675{8fd3d7d2-a63d-641c-c206-000000004702}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012607Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:19:24.551{8fd3d7d2-a63c-641c-c106-000000004702}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012606Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:19:23.616{8fd3d7d2-a63b-641c-c006-000000004702}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012605Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:19:22.077{8fd3d7d2-a63a-641c-bf06-000000004702}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012604Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:19:21.327{8fd3d7d2-a639-641c-be06-000000004702}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014209Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:19:16.699{0F843AFE-A634-641C-7806-00000000D302}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027971Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"3748","Execution_ThreadID":"2524","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3748","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:14.309841Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:16Z"} 7300x8000000000000027970Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"3748","Execution_ThreadID":"2524","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3748","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:14.3093499Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:16Z"} 7300x8000000000000027969Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"3748","Execution_ThreadID":"2508","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3748","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:13.972476Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:16Z"} 154100x800000000000000014208Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:19:15.931{0F843AFE-A633-641C-7706-00000000D302}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:19:14.604{8FCC9F6C-A632-641C-7706-00000000D302}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4634001254500x8020000000000000200225Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x858f153 154100x800000000000000014207Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:19:14.155{0F843AFE-A632-641C-7606-00000000D302}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028007Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3196","Execution_ThreadID":"3984","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3196","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.7380883Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:13Z"} 7300x8000000000000028006Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3196","Execution_ThreadID":"3984","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3196","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.7368689Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:13Z"} 7300x8000000000000028005Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB81160000","EventID":"5","Execution_ProcessID":"3196","Execution_ThreadID":"4040","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB81160000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3196","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.4343069Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:13Z"} 154100x800000000000000012459Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:19:12.118{8FCC9F6C-A630-641C-7606-00000000D302}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012468Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:19:12.112{9792FEB4-A630-641C-7906-00000000D302}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000027997Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"3560","Execution_ThreadID":"968","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3560","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.2663297Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:12Z"} 7300x8000000000000027996Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"3560","Execution_ThreadID":"968","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3560","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.2658738Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:12Z"} 7300x8000000000000027995Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"3560","Execution_ThreadID":"3708","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3560","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:11.0901069Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:12Z"} 154100x800000000000000014206Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:19:12.181{0F843AFE-A630-641C-7506-00000000D302}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012458Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:19:11.253{8FCC9F6C-A62F-641C-7506-00000000D302}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013122Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:19:10.740{C9DE9129-A62E-641C-B806-00000000D302}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012490Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:19:09.520{E6E25EEE-A62D-641C-7906-00000000D302}324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000028002Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3188","Execution_ThreadID":"3940","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:10.3077955Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:09Z"} 7300x8000000000000028001Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3188","Execution_ThreadID":"3940","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:10.3071488Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:09Z"} 7300x8000000000000028000Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3188","Execution_ThreadID":"3604","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3188","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:10.119271Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:09Z"} 154100x800000000000000012489Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:19:09.304{CAB910BF-A62D-641C-7706-00000000D302}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012467Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:19:09.019{9792FEB4-A62D-641C-7806-00000000D302}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012489Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:19:08.777{E6E25EEE-A62C-641C-7806-00000000D302}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012488Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:19:08.544{CAB910BF-A62C-641C-7606-00000000D302}804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012451Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:19:08.569{B5208300-A62C-641C-7706-00000000D302}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 4624201254400x8020000000000000200224Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE.LOCAL0x8599b83KerberosKerberos-{7bbc5f5c-d48c-d84a-0610-939de87ce665}--00x0---%%1840---%%18430x0%%1842 4672001254800x8020000000000000200223Securityar-win-dc.attackrange.localATTACKRANGE\AR-WIN-DC$AR-WIN-DC$ATTACKRANGE0x8599b8SeAuditPrivilege SeImpersonatePrivilege SeAssignPrimaryTokenPrivilege 154100x800000000000000012466Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:19:08.268{9792FEB4-A62C-641C-7706-00000000D302}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013121Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:19:08.579{C9DE9129-A62C-641C-B706-00000000D302}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028123Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"2384","Execution_ThreadID":"596","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2384","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:07.2363817Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:08Z"} 7300x8000000000000028122Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"2384","Execution_ThreadID":"596","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2384","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:07.2358418Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:08Z"} 7300x8000000000000028121Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"2384","Execution_ThreadID":"2560","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2384","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:07.0209713Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:08Z"} 154100x800000000000000012450Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:19:07.812{B5208300-A62B-641C-7606-00000000D302}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013120Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:19:07.819{C9DE9129-A62B-641C-B606-00000000D302}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028014Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"3752","Execution_ThreadID":"3880","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3752","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:06.5726099Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:07Z"} 7300x8000000000000028013Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"3752","Execution_ThreadID":"3880","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3752","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:06.5721217Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:07Z"} 154100x800000000000000012487Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:19:06.720{CAB910BF-A62A-641C-7506-00000000D302}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000028012Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95D5D0000","EventID":"5","Execution_ProcessID":"3752","Execution_ThreadID":"3556","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95D5D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3752","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:06.3017926Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:06Z"} 154100x800000000000000012488Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:19:05.562{E6E25EEE-A629-641C-7706-00000000D302}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027982Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3816","Execution_ThreadID":"268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3816","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:05.9514521Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:05Z"} 7300x8000000000000027981Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3816","Execution_ThreadID":"268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3816","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:05.9503928Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:05Z"} 4673001305600x8010000000000000141103Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012487Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:19:04.696{E6E25EEE-A628-641C-7606-00000000D302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012449Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:19:04.815{B5208300-A628-641C-7506-00000000D302}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027980Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"3300","Execution_ThreadID":"4008","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3300","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:19:03.632187Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:19:03Z"} 4624201254400x8020000000000000200222Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x858f153KerberosKerberos-{49301dcc-8cff-a9e2-45e6-961fe71c4adf}--00x0-fe80::25f1:ea03:8efd:c46250163%%1840---%%18430x0%%1842 4672001254800x8020000000000000200221Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x858f15SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012486Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:19:03.217{CAB910BF-A627-641C-7406-00000000D302}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:19:02.739{B5208300-A626-641C-7406-00000000D302}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141102Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4673001305600x8010000000000000373367Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0x179355Security-SeTcbPrivilege0xaf0C:\Windows\explorer.exe 154100x800000000000000014582Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:18:40.188{54d3457e-a610-641c-c006-000000004602}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200219Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x856a963 4624201254400x8020000000000000200218Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x856a963KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150162%%1833---%%18430x0%%1842 4672001254800x8020000000000000200217Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x856a96SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012457Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:18:39.685{8FCC9F6C-A60F-641C-7406-00000000D302}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014205Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:18:39.348{0F843AFE-A60F-641C-7406-00000000D302}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012456Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:18:38.942{8FCC9F6C-A60E-641C-7306-00000000D302}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012617Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:18:37.562{94bfb0cf-a60d-641c-ba06-000000004702}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014581Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:18:37.103{54d3457e-a60d-641c-bf06-000000004602}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012616Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:18:36.875{94bfb0cf-a60c-641c-b906-000000004702}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012615Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:18:36.117{94bfb0cf-a60c-641c-b806-000000004702}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014580Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:18:36.354{54d3457e-a60c-641c-be06-000000004602}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012465Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:18:36.385{9792FEB4-A60C-641C-7606-00000000D302}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013119Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:18:36.285{C9DE9129-A60C-641C-B506-00000000D302}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012464Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:18:35.626{9792FEB4-A60B-641C-7506-00000000D302}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012614Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:18:35.357{94bfb0cf-a60b-641c-b706-000000004702}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013118Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:18:35.537{C9DE9129-A60B-641C-B406-00000000D302}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014579Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:18:35.119{54d3457e-a60b-641c-bd06-000000004602}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012613Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:18:34.612{94bfb0cf-a60a-641c-b606-000000004702}2112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014578Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:18:34.232{54d3457e-a60a-641c-bc06-000000004602}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012486Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:18:32.320{E6E25EEE-A608-641C-7506-00000000D302}808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012485Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:18:31.808{CAB910BF-A607-641C-7306-00000000D302}3948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012447Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:18:30.030{B5208300-A606-641C-7306-00000000D302}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012603Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:18:25.683{8fd3d7d2-a601-641c-bd06-000000004702}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012602Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:18:24.545{8fd3d7d2-a600-641c-bc06-000000004702}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012601Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:18:23.624{8fd3d7d2-a5ff-641c-bb06-000000004702}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012600Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:18:22.103{8fd3d7d2-a5fe-641c-ba06-000000004702}2288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012599Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:18:21.327{8fd3d7d2-a5fd-641c-b906-000000004702}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 7300x8000000000000027968Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"3232","Execution_ThreadID":"2520","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3232","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:14.343549Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:17Z"} 7300x8000000000000027967Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"3232","Execution_ThreadID":"2520","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3232","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:14.3424033Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:17Z"} 154100x800000000000000014204Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:18:16.775{0F843AFE-A5F8-641C-7306-00000000D302}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000014203Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:18:15.905{0F843AFE-A5F7-641C-7206-00000000D302}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027966Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF64A40000","EventID":"5","Execution_ProcessID":"3472","Execution_ThreadID":"3240","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFF64A40000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3472","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:12.2003257Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:15Z"} 154100x800000000000000012455Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:18:14.599{8FCC9F6C-A5F6-641C-7206-00000000D302}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014202Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:18:14.150{0F843AFE-A5F6-641C-7106-00000000D302}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028004Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3224","Execution_ThreadID":"3308","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3224","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.6687106Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:13Z"} 7300x8000000000000028003Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3224","Execution_ThreadID":"3308","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3224","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.6680323Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:13Z"} 7300x8000000000000028002Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB7E4B0000","EventID":"5","Execution_ProcessID":"3224","Execution_ThreadID":"3856","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB7E4B0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3224","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.4226809Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:13Z"} 7300x8000000000000027994Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"3664","Execution_ThreadID":"3888","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.2563187Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:13Z"} 7300x8000000000000027993Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"3664","Execution_ThreadID":"3888","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.2554422Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:13Z"} 154100x800000000000000012454Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:18:12.112{8FCC9F6C-A5F4-641C-7106-00000000D302}3224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012463Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:18:12.099{9792FEB4-A5F4-641C-7406-00000000D302}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000027992Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"3664","Execution_ThreadID":"3456","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:11.0801426Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:12Z"} 154100x800000000000000014201Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:18:12.168{0F843AFE-A5F4-641C-7006-00000000D302}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012453Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:18:11.247{8FCC9F6C-A5F3-641C-7006-00000000D302}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013117Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:18:10.739{C9DE9129-A5F2-641C-B306-00000000D302}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012485Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:18:09.520{E6E25EEE-A5F1-641C-7406-00000000D302}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027999Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3340","Execution_ThreadID":"3124","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3340","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:10.3413011Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:09Z"} 7300x8000000000000027998Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3340","Execution_ThreadID":"3124","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3340","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:10.340756Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:09Z"} 7300x8000000000000027997Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3340","Execution_ThreadID":"2964","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3340","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:10.1092818Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:09Z"} 154100x800000000000000012484Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:18:09.291{CAB910BF-A5F1-641C-7206-00000000D302}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012462Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:18:09.004{9792FEB4-A5F1-641C-7306-00000000D302}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012484Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:18:08.767{E6E25EEE-A5F0-641C-7306-00000000D302}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012446Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:18:08.587{B5208300-A5F0-641C-7206-00000000D302}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012483Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:18:08.543{CAB910BF-A5F0-641C-7106-00000000D302}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012461Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:18:08.255{9792FEB4-A5F0-641C-7206-00000000D302}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013116Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:18:08.554{C9DE9129-A5F0-641C-B206-00000000D302}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028120Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"1444","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:07.2706324Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:08Z"} 7300x8000000000000028119Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"1444","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:07.2697923Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:08Z"} 7300x8000000000000028118Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"4564","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:07.0153845Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:08Z"} 154100x800000000000000012445Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:18:07.813{B5208300-A5EF-641C-7106-00000000D302}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013115Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:18:07.804{C9DE9129-A5EF-641C-B106-00000000D302}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028011Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"3496","Execution_ThreadID":"3216","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3496","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:06.4790147Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:07Z"} 7300x8000000000000028010Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"3496","Execution_ThreadID":"3216","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3496","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:06.4784248Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:07Z"} 7300x8000000000000028009Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95D5D0000","EventID":"5","Execution_ProcessID":"3496","Execution_ThreadID":"3316","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95D5D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3496","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:06.290488Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:07Z"} 154100x800000000000000012482Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:18:06.711{CAB910BF-A5EE-641C-7006-00000000D302}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027979Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"1736","Execution_ThreadID":"2640","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1736","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:05.9148261Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:06Z"} 7300x8000000000000027978Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"1736","Execution_ThreadID":"2640","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1736","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:05.9143538Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:06Z"} 4673001305600x8010000000000000141688Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012483Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:18:05.577{E6E25EEE-A5ED-641C-7206-00000000D302}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012444Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:18:04.814{B5208300-A5EC-641C-7006-00000000D302}1736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012482Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:18:04.691{E6E25EEE-A5EC-641C-7106-00000000D302}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027977Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA92C0000","EventID":"5","Execution_ProcessID":"3468","Execution_ThreadID":"4048","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA92C0000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3468","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:18:03.6414532Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:18:03Z"} 154100x800000000000000012481Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:18:03.214{CAB910BF-A5EB-641C-6F06-00000000D302}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012443Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:18:02.726{B5208300-A5EA-641C-6F06-00000000D302}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141687Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000014577Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:17:40.189{54d3457e-a5d4-641c-bb06-000000004602}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200211Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8503913 4624201254400x8020000000000000200210Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8503913KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150161%%1833---%%18430x0%%1842 4672001254800x8020000000000000200209Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x850391SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:17:39.687{8FCC9F6C-A5D3-641C-6F06-00000000D302}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014200Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:17:39.346{0F843AFE-A5D3-641C-6F06-00000000D302}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012451Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:17:38.918{8FCC9F6C-A5D2-641C-6E06-00000000D302}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012612Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:17:37.570{94bfb0cf-a5d1-641c-b506-000000004702}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014576Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:17:37.125{54d3457e-a5d1-641c-ba06-000000004602}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012611Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:17:36.806{94bfb0cf-a5d0-641c-b406-000000004702}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012610Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:17:36.045{94bfb0cf-a5d0-641c-b306-000000004702}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014575Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:17:36.346{54d3457e-a5d0-641c-b906-000000004602}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013114Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:17:36.280{C9DE9129-A5D0-641C-B006-00000000D302}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:17:36.385{9792FEB4-A5D0-641C-7106-00000000D302}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012609Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:17:35.393{94bfb0cf-a5cf-641c-b206-000000004702}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013113Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:17:35.527{C9DE9129-A5CF-641C-AF06-00000000D302}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012459Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:17:35.611{9792FEB4-A5CF-641C-7006-00000000D302}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014574Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:17:35.099{54d3457e-a5cf-641c-b806-000000004602}1008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012608Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:17:34.629{94bfb0cf-a5ce-641c-b106-000000004702}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014573Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:17:34.234{54d3457e-a5ce-641c-b706-000000004602}552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012481Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:17:32.322{E6E25EEE-A5CC-641C-7006-00000000D302}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012480Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:17:31.796{CAB910BF-A5CB-641C-6E06-00000000D302}2248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012442Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:17:30.025{B5208300-A5CA-641C-6E06-00000000D302}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012598Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:17:25.691{8fd3d7d2-a5c5-641c-b806-000000004702}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012597Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:17:24.552{8fd3d7d2-a5c4-641c-b706-000000004702}4888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012596Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:17:23.628{8fd3d7d2-a5c3-641c-b606-000000004702}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012595Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:17:22.112{8fd3d7d2-a5c2-641c-b506-000000004702}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012594Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:17:21.336{8fd3d7d2-a5c1-641c-b406-000000004702}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014199Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:17:16.654{0F843AFE-A5BC-641C-6E06-00000000D302}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000014198Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:17:15.895{0F843AFE-A5BB-641C-6D06-00000000D302}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027965Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"944","Execution_ThreadID":"884","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"944","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:12.4307649Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:15Z"} 7300x8000000000000027964Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"944","Execution_ThreadID":"884","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"944","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:12.4238033Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:15Z"} 7300x8000000000000027963Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF689E0000","EventID":"5","Execution_ProcessID":"944","Execution_ThreadID":"656","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFF689E0000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"944","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:12.1969174Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:15Z"} 154100x800000000000000012450Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:17:14.589{8FCC9F6C-A5BA-641C-6D06-00000000D302}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014197Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:17:14.143{0F843AFE-A5BA-641C-6C06-00000000D302}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000028001Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"4052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.8975725Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 7300x8000000000000028000Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"4052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.8969413Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 7300x8000000000000027999Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80B30000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"4052","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFB80B30000","ImageCheckSum":"63700","ImageLoaded":"\\Windows\\System32\\netutils.dll","ImageName":"\\Windows\\System32\\netutils.dll","ImageSize":"0xD000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netutils.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.5967938Z","TimeDateStamp":"1468636083","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 154100x800000000000000012449Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:17:12.147{8FCC9F6C-A5B8-641C-6C06-00000000D302}668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012458Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:17:12.092{9792FEB4-A5B8-641C-6F06-00000000D302}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014196Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:17:12.164{0F843AFE-A5B8-641C-6B06-00000000D302}288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027991Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"1800","Execution_ThreadID":"3880","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:11.3797963Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 7300x8000000000000027990Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"1800","Execution_ThreadID":"3880","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:11.3781251Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 7300x8000000000000027989Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"1800","Execution_ThreadID":"2612","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:11.077162Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:12Z"} 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:17:11.247{8FCC9F6C-A5B7-641C-6B06-00000000D302}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013112Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:17:10.732{C9DE9129-A5B6-641C-AE06-00000000D302}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012480Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:17:09.503{E6E25EEE-A5B5-641C-6F06-00000000D302}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027996Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"2416","Execution_ThreadID":"3948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.2938796Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:09Z"} 7300x8000000000000027995Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"2416","Execution_ThreadID":"3948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.2919938Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:09Z"} 7300x8000000000000027994Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"2416","Execution_ThreadID":"3612","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:10.0958197Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:09Z"} 154100x800000000000000012479Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:17:09.296{CAB910BF-A5B5-641C-6D06-00000000D302}1016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012457Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:17:09.008{9792FEB4-A5B5-641C-6E06-00000000D302}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012479Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:17:08.753{E6E25EEE-A5B4-641C-6E06-00000000D302}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012478Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:17:08.546{CAB910BF-A5B4-641C-6C06-00000000D302}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012441Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:17:08.560{B5208300-A5B4-641C-6D06-00000000D302}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012456Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:17:08.255{9792FEB4-A5B4-641C-6D06-00000000D302}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013111Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:17:08.533{C9DE9129-A5B4-641C-AD06-00000000D302}4144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028117Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4436","Execution_ThreadID":"4480","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4436","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:07.2035998Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:08Z"} 7300x8000000000000028116Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4436","Execution_ThreadID":"4480","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4436","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:07.2031218Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:08Z"} 7300x8000000000000028115Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"4436","Execution_ThreadID":"4948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4436","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:07.0077906Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:08Z"} 154100x800000000000000012440Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:17:07.805{B5208300-A5B3-641C-6C06-00000000D302}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013110Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:17:07.795{C9DE9129-A5B3-641C-AC06-00000000D302}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028008Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"584","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:06.597846Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:07Z"} 7300x8000000000000028007Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"584","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:06.5973742Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:07Z"} 154100x800000000000000012477Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:17:06.692{CAB910BF-A5B2-641C-6B06-00000000D302}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000028006Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"3896","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:06.2692721Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:06Z"} 4673001305600x8010000000000000141675Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012478Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:17:05.573{E6E25EEE-A5B1-641C-6D06-00000000D302}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027976Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"872","Execution_ThreadID":"2428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:05.8700123Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:05Z"} 7300x8000000000000027975Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"872","Execution_ThreadID":"2428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"872","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:05.8695482Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:05Z"} 4673001305600x8010000000000000141080Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012477Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:17:04.695{E6E25EEE-A5B0-641C-6C06-00000000D302}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012439Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:17:04.804{B5208300-A5B0-641C-6B06-00000000D302}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012476Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:17:03.216{CAB910BF-A5AF-641C-6A06-00000000D302}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027974Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"3832","Execution_ThreadID":"4056","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3832","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:17:03.6169291Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:17:03Z"} 154100x800000000000000012438Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:17:02.724{B5208300-A5AE-641C-6A06-00000000D302}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141674Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141079Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014572Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:16:40.190{54d3457e-a598-641c-b606-000000004602}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200203Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x849c843 4624201254400x8020000000000000200202Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x849c843KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150160%%1833---%%18430x0%%1842 4672001254800x8020000000000000200201Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x849c84SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012447Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:16:39.501{8FCC9F6C-A597-641C-6A06-00000000D302}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014195Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:16:39.333{0F843AFE-A597-641C-6A06-00000000D302}660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012446Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:16:38.909{8FCC9F6C-A596-641C-6906-00000000D302}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012607Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:16:37.477{94bfb0cf-a595-641c-b006-000000004702}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014571Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:16:37.086{54d3457e-a595-641c-b506-000000004602}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012606Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:16:36.722{94bfb0cf-a594-641c-af06-000000004702}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014570Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:16:36.333{54d3457e-a594-641c-b406-000000004602}1452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013109Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:16:36.288{C9DE9129-A594-641C-AB06-00000000D302}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012455Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:16:36.365{9792FEB4-A594-641C-6C06-00000000D302}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012605Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:16:35.967{94bfb0cf-a593-641c-ae06-000000004702}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012604Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:16:35.244{94bfb0cf-a593-641c-ad06-000000004702}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013108Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:16:35.526{C9DE9129-A593-641C-AA06-00000000D302}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012454Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:16:35.604{9792FEB4-A593-641C-6B06-00000000D302}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014569Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:16:35.102{54d3457e-a593-641c-b306-000000004602}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012603Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:16:34.492{94bfb0cf-a592-641c-ac06-000000004702}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014568Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:16:34.225{54d3457e-a592-641c-b206-000000004602}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012476Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:16:32.323{E6E25EEE-A590-641C-6B06-00000000D302}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012475Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:16:31.801{CAB910BF-A58F-641C-6906-00000000D302}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012437Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:16:30.027{B5208300-A58E-641C-6906-00000000D302}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012593Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:16:25.682{8fd3d7d2-a589-641c-b306-000000004702}4900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012592Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:16:24.563{8fd3d7d2-a588-641c-b206-000000004702}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012591Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:16:23.615{8fd3d7d2-a587-641c-b106-000000004702}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012590Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:16:22.093{8fd3d7d2-a586-641c-b006-000000004702}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012589Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:16:21.343{8fd3d7d2-a585-641c-af06-000000004702}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014194Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:16:16.625{0F843AFE-A580-641C-6906-00000000D302}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027962Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"3084","Execution_ThreadID":"1616","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3084","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:14.2066499Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:16Z"} 7300x8000000000000027961Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"3084","Execution_ThreadID":"1616","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3084","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:14.2052745Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:16Z"} 7300x8000000000000027960Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"3084","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3084","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:13.9257948Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:16Z"} 154100x800000000000000014193Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:16:15.869{0F843AFE-A57F-641C-6806-00000000D302}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012445Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:16:14.590{8FCC9F6C-A57E-641C-6806-00000000D302}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014192Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:16:14.120{0F843AFE-A57E-641C-6706-00000000D302}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027998Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3700","Execution_ThreadID":"2448","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3700","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.6225979Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 7300x8000000000000027997Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3700","Execution_ThreadID":"2448","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3700","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.621959Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 7300x8000000000000027996Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB7E4B0000","EventID":"5","Execution_ProcessID":"3700","Execution_ThreadID":"356","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB7E4B0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3700","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.4259737Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 154100x800000000000000012444Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:16:12.121{8FCC9F6C-A57C-641C-6706-00000000D302}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012453Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:16:12.101{9792FEB4-A57C-641C-6A06-00000000D302}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000027988Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"3416","Execution_ThreadID":"2492","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.2623021Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 7300x8000000000000027987Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"3416","Execution_ThreadID":"2492","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.261838Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 7300x8000000000000027986Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"3416","Execution_ThreadID":"3532","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3416","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:11.0884717Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:12Z"} 154100x800000000000000014191Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:16:12.152{0F843AFE-A57C-641C-6606-00000000D302}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012443Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:16:11.244{8FCC9F6C-A57B-641C-6606-00000000D302}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013107Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:16:10.724{C9DE9129-A57A-641C-A906-00000000D302}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012475Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:16:09.506{E6E25EEE-A579-641C-6A06-00000000D302}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027993Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"740","Execution_ThreadID":"3888","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"740","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:10.2750419Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:09Z"} 7300x8000000000000027992Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"740","Execution_ThreadID":"3888","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"740","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:10.274002Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:09Z"} 7300x8000000000000027991Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"740","Execution_ThreadID":"3772","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"740","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:10.0987442Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:09Z"} 154100x800000000000000012474Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:16:09.297{CAB910BF-A579-641C-6806-00000000D302}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012474Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:16:08.756{E6E25EEE-A578-641C-6906-00000000D302}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012436Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:16:08.577{B5208300-A578-641C-6806-00000000D302}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012473Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:16:08.543{CAB910BF-A578-641C-6706-00000000D302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:16:08.998{9792FEB4-A578-641C-6906-00000000D302}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012451Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:16:08.248{9792FEB4-A578-641C-6806-00000000D302}768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013106Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:16:08.537{C9DE9129-A578-641C-A806-00000000D302}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028114Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"2280","Execution_ThreadID":"3136","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2280","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:07.2495211Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:08Z"} 7300x8000000000000028113Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"2280","Execution_ThreadID":"3136","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2280","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:07.2490349Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:08Z"} 7300x8000000000000028112Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"2280","Execution_ThreadID":"4980","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2280","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:07.0052052Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:08Z"} 154100x800000000000000012435Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:16:07.813{B5208300-A577-641C-6706-00000000D302}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013105Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:16:07.786{C9DE9129-A577-641C-A706-00000000D302}2280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028005Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"2584","Execution_ThreadID":"2964","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:06.5550265Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:07Z"} 7300x8000000000000028004Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"2584","Execution_ThreadID":"2964","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:06.5538087Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:07Z"} 154100x800000000000000012472Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:16:06.689{CAB910BF-A576-641C-6606-00000000D302}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012473Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:16:05.571{E6E25EEE-A575-641C-6806-00000000D302}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000141068Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027973Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3728","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:05.8851099Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:05Z"} 7300x8000000000000027972Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3728","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:05.8846794Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:05Z"} 7300x8000000000000027971Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDB0EC0000","EventID":"5","Execution_ProcessID":"3844","Execution_ThreadID":"3356","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDB0EC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:05.6845525Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:05Z"} 154100x800000000000000012472Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:16:04.700{E6E25EEE-A574-641C-6706-00000000D302}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012434Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:16:04.791{B5208300-A574-641C-6606-00000000D302}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000028003Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF956F60000","EventID":"5","Execution_ProcessID":"1048","Execution_ThreadID":"3656","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF956F60000","ImageCheckSum":"149968","ImageLoaded":"\\Windows\\System32\\srvcli.dll","ImageName":"\\Windows\\System32\\srvcli.dll","ImageSize":"0x26000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\srvcli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1048","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:16:02.8362022Z","TimeDateStamp":"1648872530","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:16:04Z"} 154100x800000000000000012471Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:16:03.218{CAB910BF-A573-641C-6506-00000000D302}1048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012433Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:16:02.725{B5208300-A572-641C-6506-00000000D302}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141067Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014567Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:15:40.189{54d3457e-a55c-641c-b106-000000004602}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200195Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8435c43 4624201254400x8020000000000000200194Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8435c43KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150159%%1833---%%18430x0%%1842 4672001254800x8020000000000000200193Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8435c4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012442Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:15:39.498{8FCC9F6C-A55B-641C-6506-00000000D302}1412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014190Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:15:39.314{0F843AFE-A55B-641C-6506-00000000D302}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012441Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:15:38.886{8FCC9F6C-A55A-641C-6406-00000000D302}3788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4634001254500x8020000000000000372041Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a61063 4634001254500x8020000000000000200192Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x840ada3 4634001254500x8020000000000000371891Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ea63 154100x800000000000000012602Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:15:37.375{94bfb0cf-a559-641c-ab06-000000004702}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 4634001254500x8020000000000000371989Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dcd23 4634001254500x8020000000000000371801Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f3a63 4634001254500x8020000000000000141064Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8e8c3 154100x800000000000000014566Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:15:37.091{54d3457e-a559-641c-b006-000000004602}4660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000141663Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe12c3 4634001254500x8020000000000000372052Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc373 4634001254500x8020000000000000371830Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da183 154100x800000000000000012601Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:15:36.606{94bfb0cf-a558-641c-aa06-000000004702}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014565Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:15:36.331{54d3457e-a558-641c-af06-000000004602}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013104Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:36.267{C9DE9129-A558-641C-A606-00000000D302}4700C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012450Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:15:36.347{9792FEB4-A558-641C-6706-00000000D302}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012600Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:15:35.854{94bfb0cf-a557-641c-a906-000000004702}1924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012599Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:15:35.101{94bfb0cf-a557-641c-a806-000000004702}692C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013103Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:35.511{C9DE9129-A557-641C-A506-00000000D302}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012449Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:15:35.598{9792FEB4-A557-641C-6606-00000000D302}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014564Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:15:35.104{54d3457e-a557-641c-ae06-000000004602}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012598Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:15:34.336{94bfb0cf-a556-641c-a706-000000004702}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014563Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:15:34.220{54d3457e-a556-641c-ad06-000000004602}404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012471Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:15:32.315{E6E25EEE-A554-641C-6606-00000000D302}1156C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012470Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:15:31.790{CAB910BF-A553-641C-6406-00000000D302}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 4634001254500x8020000000000000200187Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8400ed3 154100x800000000000000012432Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:15:30.018{B5208300-A552-641C-6406-00000000D302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 354300x800000000000000013102Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:26.138{C9DE9129-74E3-641C-9002-00000000D302}1888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\ELMER_SALAStcptruefalse10.0.1.16ar-win-3.attackrange.local49945-false10.0.1.14-389ldap 354300x800000000000000013101Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:26.014{C9DE9129-74E3-641C-9002-00000000D302}1888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\ELMER_SALAStcptruefalse10.0.1.16ar-win-3.attackrange.local49941-false10.0.1.14-389ldap 1400x8000000000000028111Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\"","Computer":"ar-win-3.attackrange.local","Correlation_ActivityID":"","EventID":"4688","EventRecordID":"373330","Execution_ProcessID":"4","Execution_ThreadID":"3644","Image":"C:\\Windows\\System32\\whoami.exe","Keywords":"0","Level":"0","MandatoryLabel":"S-1-16-8192","Match_Strings":"\\whoami.exe in Image","Module":"Sigma","NewProcessId":"4708","Opcode":"0","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ProcessId":"1888","Provider_Guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Provider_Name":"Microsoft-Windows-Security-Auditing","Rule_Author":"Florian Roth (Nextron Systems)","Rule_Description":"Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation","Rule_FalsePositives":"Admin activity, Scripts and administrative tools used in the monitored environment, Monitoring activity","Rule_Id":"e28a5a99-da44-436d-b7a0-2afc20a5f413","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/process_creation/proc_creation_win_whoami_execution.yml","Rule_Modified":"2023/02/28","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_whoami_execution.yml","Rule_References":"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/","Rule_Sigtype":"public","Rule_Title":"Whoami Utility Execution","Security_UserID":"","Source":"Security","SubjectDomainName":"ATTACKRANGE","SubjectLogonId":"0x179355","SubjectUserName":"elmer_salas","SubjectUserSid":"S-1-5-21-3061066544-971859979-4169126676-1123","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","Task":"13312","TimeCreated_SystemTime":"2023-03-23T19:15:23.1468333Z","TokenElevationType":"%%1938","Version":"2","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-23T19:15:29Z"} 4634001254500x8020000000000000371890Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ef03 4634001254500x8020000000000000371889Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ef43 4634001254500x8020000000000000371888Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ed23 4627001255400x8020000000000000371887Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x693ef4311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371886Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x693ef43KerberosKerberos-{139F7D70-0163-38CC-676D-00AE04A0F19C}--00x0-10.0.1.1649980%%1833---%%18430x0%%1843 4627001255400x8020000000000000371885Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x693ef0311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371884Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x693ef03KerberosKerberos-{139F7D70-0163-38CC-676D-00AE04A0F19C}--00x0-10.0.1.1649979%%1833---%%18430x0%%1843 4627001255400x8020000000000000371883Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x693ed2311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371882Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x693ed23KerberosKerberos-{139F7D70-0163-38CC-676D-00AE04A0F19C}--00x0-10.0.1.1649978%%1833---%%18430x0%%1843 5145001281100x8020000000000000371881Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ea6File10.0.1.1649976\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000371880Securityar-win-7.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x693ea6File10.0.1.1649976\\*\IPC$0x1%%4416 4627001255400x8020000000000000371879Securityar-win-7.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x693ea6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371878Securityar-win-7.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x693ea63KerberosKerberos-{139F7D70-0163-38CC-676D-00AE04A0F19C}--00x0-10.0.1.1649976%%1833---%%18430x0%%1843 4634001254500x8020000000000000372036Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a615f3 4634001254500x8020000000000000372035Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a614a3 4634001254500x8020000000000000372034Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a61303 4627001255400x8020000000000000372033Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x6a615f311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372032Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x6a615f3KerberosKerberos-{67DE2BC4-8DD8-06BA-6D2E-BAE6D2564350}--00x0-10.0.1.1649965%%1833---%%18430x0%%1843 4627001255400x8020000000000000372031Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x6a614a311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372030Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x6a614a3KerberosKerberos-{67DE2BC4-8DD8-06BA-6D2E-BAE6D2564350}--00x0-10.0.1.1649964%%1833---%%18430x0%%1843 4627001255400x8020000000000000372029Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x6a6130311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372028Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x6a61303KerberosKerberos-{67DE2BC4-8DD8-06BA-6D2E-BAE6D2564350}--00x0-10.0.1.1649963%%1833---%%18430x0%%1843 5145001281100x8020000000000000372027Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a6106File10.0.1.1649961\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000372026Securityar-win-9.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x6a6106File10.0.1.1649961\\*\IPC$0x1%%4416 4627001255400x8020000000000000372025Securityar-win-9.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x6a6106311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372024Securityar-win-9.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x6a61063KerberosKerberos-{67DE2BC4-8DD8-06BA-6D2E-BAE6D2564350}--00x0-10.0.1.1649961%%1833---%%18430x0%%1843 4769001433700x8020000000000000200186Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-6$ATTACKRANGE\AR-WIN-6$0x408100000x12::ffff:10.0.1.16499880x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4634001254500x8020000000000000200185Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x840b463 4634001254500x8020000000000000200184Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x840b2c3 4634001254500x8020000000000000200183Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x840b443 4624201254400x8020000000000000200182Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b463KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649986%%1840---%%18430x0%%1842 4624201254400x8020000000000000200181Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b443KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649985%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-11.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-12.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-14.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-13.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-16.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-15.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-18.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-17.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-20.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-19.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-21.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-22.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-25.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-23.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-24.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-26.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-27.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-29.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-28.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-30.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-31.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-32.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-34.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-33.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-35.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-37.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-39.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-38.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-40.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-41.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-42.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-43.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-44.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-45.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-46.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-47.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-48.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-49.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-50.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-51.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-52.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200180Securityar-win-55.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840b2c3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649984%%1840---%%18430x0%%1842 4624201254400x8020000000000000200179Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840ada3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649981%%1840---%%18430x0%%1842 4769001433700x8020000000000000200178Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALkrbtgtATTACKRANGE\krbtgt0x608100100x12::ffff:10.0.1.16499830x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200177Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.16499820x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200176Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-7$ATTACKRANGE\AR-WIN-7$0x408100000x12::ffff:10.0.1.16499770x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200175Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-8$ATTACKRANGE\AR-WIN-8$0x408100000x12::ffff:10.0.1.16499720x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200174Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-2$ATTACKRANGE\AR-WIN-2$0x408100000x12::ffff:10.0.1.16499670x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200173Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-9$ATTACKRANGE\AR-WIN-9$0x408100000x12::ffff:10.0.1.16499620x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200172Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-4$ATTACKRANGE\AR-WIN-4$0x408100000x12::ffff:10.0.1.16499570x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200171Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-10$ATTACKRANGE\AR-WIN-10$0x408100000x12::ffff:10.0.1.16499520x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4769001433700x8020000000000000200170Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-5$ATTACKRANGE\AR-WIN-5$0x408100000x12::ffff:10.0.1.16499470x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4624201254400x8020000000000000200169Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840a953KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649945%%1833---%%18430x0%%1842 4634001254500x8020000000000000200168Securityar-win-dc.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x840a7e3 4624201254400x8020000000000000200167Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x840a7e3KerberosKerberos-{2332f537-9dbb-9e1b-5c87-165c1366a921}--00x0-10.0.1.1649941%%1833---%%18430x0%%1842 4769001433700x8020000000000000200166Securityar-win-dc.attackrange.localELMER_SALAS@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.16499440x0{cf19713f-458d-536f-f5a0-5be6bad6f950}- 4768001433900x8020000000000000200165Securityar-win-dc.attackrange.localELMER_SALASATTACKRANGE.LOCALATTACKRANGE\ELMER_SALASkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1649943 4670001357000x8020000000000000373332Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e7SecurityToken-0x1948D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x4a4C:\Windows\System32\svchost.exe 410515102150x0141201Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141200Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local14b65f78-bafb-466f-887a-f2068c8f4259a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141199Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141198Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141197Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local14b65f78-bafb-466f-887a-f2068c8f4259a93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141196Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11prompt14b65f78-bafb-466f-887a-f2068c8f4259 410615103150x0141195Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141194Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141193Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local4e0fdc0f-02e9-40b0-a61e-023c97e28430a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141192Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141191Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141190Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141189Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141188Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141187Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141186Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141185Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141184Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141183Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141182Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141181Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141180Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141179Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141178Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141177Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141176Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141175Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141174Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141173Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local567e90b3-dc4a-4681-9fee-e2c6523d9feaa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141172Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local755c8a3f-1822-47cb-9d8e-45e9a84c13c3a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141171Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local755c8a3f-1822-47cb-9d8e-45e9a84c13c3a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141170Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local4e0fdc0f-02e9-40b0-a61e-023c97e28430a93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141169Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11Invoke-ShareFinder4e0fdc0f-02e9-40b0-a61e-023c97e28430 410615103150x0141168Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 4634001254500x8020000000000000371988Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dd143 4634001254500x8020000000000000371987Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dd023 4634001254500x8020000000000000371986Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dd2d3 4627001255400x8020000000000000371985Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68dd2d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371984Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68dd2d3KerberosKerberos-{043CB561-611C-83C9-6AC3-F49CB5993ED0}--00x0-10.0.1.1649960%%1833---%%18430x0%%1843 4627001255400x8020000000000000371983Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68dd14311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371982Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68dd143KerberosKerberos-{043CB561-611C-83C9-6AC3-F49CB5993ED0}--00x0-10.0.1.1649959%%1833---%%18430x0%%1843 4627001255400x8020000000000000371981Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68dd02311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371980Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68dd023KerberosKerberos-{043CB561-611C-83C9-6AC3-F49CB5993ED0}--00x0-10.0.1.1649958%%1833---%%18430x0%%1843 5145001281100x8020000000000000371979Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dcd2File10.0.1.1649956\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000371978Securityar-win-4.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68dcd2File10.0.1.1649956\\*\IPC$0x1%%4416 4627001255400x8020000000000000371977Securityar-win-4.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68dcd2311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371976Securityar-win-4.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68dcd23KerberosKerberos-{043CB561-611C-83C9-6AC3-F49CB5993ED0}--00x0-10.0.1.1649956%%1833---%%18430x0%%1843 4634001254500x8020000000000000141055Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8efd3 4634001254500x8020000000000000141054Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8f113 4634001254500x8020000000000000141053Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8ed53 4627001255400x8020000000000000141052Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7f8f11311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141051Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7f8f113KerberosKerberos-{8616d8e6-f4d6-6d42-3b78-6a7780c663ed}--00x0-10.0.1.1649991%%1833---%%18430x0%%1843 4627001255400x8020000000000000141050Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7f8efd311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141049Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7f8efd3KerberosKerberos-{8616d8e6-f4d6-6d42-3b78-6a7780c663ed}--00x0-10.0.1.1649990%%1833---%%18430x0%%1843 4627001255400x8020000000000000141048Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7f8ed5311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141047Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7f8ed53KerberosKerberos-{8616d8e6-f4d6-6d42-3b78-6a7780c663ed}--00x0-10.0.1.1649989%%1833---%%18430x0%%1843 5145001281100x8020000000000000141046Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8e8cFile10.0.1.1649987\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000141045Securityar-win-6.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7f8e8cFile10.0.1.1649987\\*\IPC$0x1%%4416 4627001255400x8020000000000000141044Securityar-win-6.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7f8e8c311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141043Securityar-win-6.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7f8e8c3KerberosKerberos-{8616d8e6-f4d6-6d42-3b78-6a7780c663ed}--00x0-10.0.1.1649987%%1833---%%18430x0%%1843 4634001254500x8020000000000000371798Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f4003 4634001254500x8020000000000000371797Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f3ec3 4634001254500x8020000000000000371796Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f3cc3 4627001255400x8020000000000000371795Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68f400311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371794Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68f4003KerberosKerberos-{8C48AD38-52E3-6CEB-EDBE-DBF63990F311}--00x0-10.0.1.1649975%%1833---%%18430x0%%1843 4627001255400x8020000000000000371793Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68f3ec311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371792Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68f3ec3KerberosKerberos-{8C48AD38-52E3-6CEB-EDBE-DBF63990F311}--00x0-10.0.1.1649974%%1833---%%18430x0%%1843 4627001255400x8020000000000000371791Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68f3cc311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371790Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68f3cc3KerberosKerberos-{8C48AD38-52E3-6CEB-EDBE-DBF63990F311}--00x0-10.0.1.1649973%%1833---%%18430x0%%1843 5145001281100x8020000000000000371789Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f3a6File10.0.1.1649971\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000371788Securityar-win-8.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68f3a6File10.0.1.1649971\\*\IPC$0x1%%4416 4627001255400x8020000000000000371787Securityar-win-8.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68f3a6311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371786Securityar-win-8.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68f3a63KerberosKerberos-{8C48AD38-52E3-6CEB-EDBE-DBF63990F311}--00x0-10.0.1.1649971%%1833---%%18430x0%%1843 4634001254500x8020000000000000371827Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da5d3 4634001254500x8020000000000000371826Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da713 4634001254500x8020000000000000371825Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da433 4627001255400x8020000000000000371824Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68da71311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371823Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68da713KerberosKerberos-{B140FFA4-FB19-1951-BC7E-841DB9684730}--00x0-10.0.1.1649970%%1833---%%18430x0%%1843 4627001255400x8020000000000000371822Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68da5d311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371821Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68da5d3KerberosKerberos-{B140FFA4-FB19-1951-BC7E-841DB9684730}--00x0-10.0.1.1649969%%1833---%%18430x0%%1843 4627001255400x8020000000000000371820Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68da43311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371819Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68da433KerberosKerberos-{B140FFA4-FB19-1951-BC7E-841DB9684730}--00x0-10.0.1.1649968%%1833---%%18430x0%%1843 5145001281100x8020000000000000371818Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da18File10.0.1.1649966\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000371817Securityar-win-2.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68da18File10.0.1.1649966\\*\IPC$0x1%%4416 4627001255400x8020000000000000371816Securityar-win-2.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68da18311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000371815Securityar-win-2.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68da183KerberosKerberos-{B140FFA4-FB19-1951-BC7E-841DB9684730}--00x0-10.0.1.1649966%%1833---%%18430x0%%1843 154100x800000000000000012588Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:15:25.677{8fd3d7d2-a54d-641c-ae06-000000004702}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 4634001254500x8020000000000000141660Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe1913 4634001254500x8020000000000000141659Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe1963 4634001254500x8020000000000000141658Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe19a3 4627001255400x8020000000000000141657Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7fe19a311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141656Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7fe19a3KerberosKerberos-{921faf93-2a03-acd6-11e3-79ef9c48ec52}--00x0-10.0.1.1649954%%1833---%%18430x0%%1843 4627001255400x8020000000000000141655Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7fe191311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4627001255400x8020000000000000141654Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7fe196311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141653Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7fe1963KerberosKerberos-{921faf93-2a03-acd6-11e3-79ef9c48ec52}--00x0-10.0.1.1649955%%1833---%%18430x0%%1843 4624201254400x8020000000000000141652Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7fe1913KerberosKerberos-{921faf93-2a03-acd6-11e3-79ef9c48ec52}--00x0-10.0.1.1649953%%1833---%%18430x0%%1843 5145001281100x8020000000000000141651Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe12cFile10.0.1.1649951\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000141650Securityar-win-10.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x7fe12cFile10.0.1.1649951\\*\IPC$0x1%%4416 4627001255400x8020000000000000141649Securityar-win-10.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x7fe12c311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000141648Securityar-win-10.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x7fe12c3KerberosKerberos-{921faf93-2a03-acd6-11e3-79ef9c48ec52}--00x0-10.0.1.1649951%%1833---%%18430x0%%1843 4634001254500x8020000000000000372049Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc773 4634001254500x8020000000000000372048Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc923 4634001254500x8020000000000000372047Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc693 4627001255400x8020000000000000372046Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68fc92311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372045Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68fc923KerberosKerberos-{4163B515-A6D1-70DD-9FEF-9588773615C1}--00x0-10.0.1.1649950%%1833---%%18430x0%%1843 4627001255400x8020000000000000372044Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68fc77311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372043Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68fc773KerberosKerberos-{4163B515-A6D1-70DD-9FEF-9588773615C1}--00x0-10.0.1.1649949%%1833---%%18430x0%%1843 4627001255400x8020000000000000372042Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68fc69311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372041Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68fc693KerberosKerberos-{4163B515-A6D1-70DD-9FEF-9588773615C1}--00x0-10.0.1.1649948%%1833---%%18430x0%%1843 5145001281100x8020000000000000372040Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc37File10.0.1.1649946\\*\IPC$srvsvc0x12019f%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 - 5140101280800x8020000000000000372039Securityar-win-5.attackrange.localATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE0x68fc37File10.0.1.1649946\\*\IPC$0x1%%4416 4627001255400x8020000000000000372038Securityar-win-5.attackrange.localS-1-0-0--0x0S-1-5-21-3061066544-971859979-4169126676-1123ELMER_SALASATTACKRANGE.LOCAL0x68fc37311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\PH-locomoron-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-4098} ATTACKRANGE\MA-BRENda103-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3885} ATTACKRANGE\GW-hom-admingroup1 %{S-1-5-21-3061066544-971859979-4169126676-3692} ATTACKRANGE\KO-Neunkirch-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3633} ATTACKRANGE\GO-101-distlist1 %{S-1-5-21-3061066544-971859979-4169126676-3969} ATTACKRANGE\CA-280-distlist1 %{S-1-18-1} Mandatory Label\Medium Mandatory Level 4624201254400x8020000000000000372037Securityar-win-5.attackrange.localNULL SID--0x0ATTACKRANGE\ELMER_SALASELMER_SALASATTACKRANGE.LOCAL0x68fc373KerberosKerberos-{4163B515-A6D1-70DD-9FEF-9588773615C1}--00x0-10.0.1.1649946%%1833---%%18430x0%%1843 154100x800000000000000012587Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:15:24.557{8fd3d7d2-a54c-641c-ad06-000000004702}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012586Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:15:23.621{8fd3d7d2-a54b-641c-ac06-000000004702}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 1400x8000000000000028110Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Windows\\system32\\whoami.exe\"","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CurrentDirectory":"C:\\Users\\elmer_salas\\Downloads\\","Description":"whoami - displays logged on user information","EventID":"1","Execution_ProcessID":"1960","Execution_ThreadID":"2424","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Hashes":"MD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9","Image":"C:\\Windows\\System32\\whoami.exe","IntegrityLevel":"Medium","Keywords":"0x8000000000000000","Level":"4","LogonGuid":"{c9de9129-6b72-641c-5593-170000000000}","LogonId":"0x179355","Match_Strings":"\\whoami.exe in Image, whoami.exe in OriginalFileName","Module":"Sigma","Opcode":"0","OriginalFileName":"whoami.exe","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -exec bypass","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessGuid":"{c9de9129-74e3-641c-9002-00000000d302}","ParentProcessId":"1888","ParentUser":"ATTACKRANGE\\ELMER_SALAS","ProcessGuid":"{c9de9129-a54b-641c-a406-00000000d302}","ProcessId":"4708","Product":"Microsoft\u0000\ufffd Windows\u0000\ufffd Operating System","Provider_Guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Provider_Name":"Microsoft-Windows-Sysmon","RuleName":"-","Rule_Author":"Florian Roth (Nextron Systems)","Rule_Description":"Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation","Rule_FalsePositives":"Admin activity, Scripts and administrative tools used in the monitored environment, Monitoring activity","Rule_Id":"e28a5a99-da44-436d-b7a0-2afc20a5f413","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/process_creation/proc_creation_win_whoami_execution.yml","Rule_Modified":"2023/02/28","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_whoami_execution.yml","Rule_References":"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/","Rule_Sigtype":"public","Rule_Title":"Whoami Utility Execution","Security_UserID":"S-1-5-18","Task":"1","TerminalSessionId":"2","TimeCreated_SystemTime":"2023-03-23T19:15:22.3695491Z","User":"ATTACKRANGE\\ELMER_SALAS","UtcTime":"2023-03-23 19:15:23.146","Version":"5","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-23T19:15:23Z"} 1400x8000000000000028109Applicationar-win-3.attackrange.local{"Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CreateTime":"2023-03-23T19:15:23.146782500Z","Description":"whoami - displays logged on user information","EventID":"1","Execution_ProcessID":"1888","Execution_ThreadID":"4828","FileAge":"2441d05h56m51s","FileCreationDate":"2016-07-16T13:18:31","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Flags":"0","GrandparentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" ","GrandparentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","GrandparentProcessId":"4328","Hashes":"MD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA1=9746E91BFC629D3A2E1FE6289B549C0452702004,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9","Image":"C:\\Windows\\System32\\whoami.exe","ImageChecksum":"0x13225","ImageFileName":"whoami.exe","ImageName":"\\Device\\HarddiskVolume1\\Windows\\System32\\whoami.exe","Keywords":"0x8000000000000010","Level":"4","Match_Strings":"\\whoami.exe in Image, whoami.exe in OriginalFileName","Module":"Sigma","Opcode":"1","OriginalFileName":"whoami.exe","PackageFullName":"","PackageRelativeAppId":"","ParentCommandLine":"\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -exec bypass","ParentImage":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","ParentProcessId":"1888","ParentSpoofed":"yes","ParentUser":"ATTACKRANGE\\ELMER_SALAS","ProcessId":"4708","ProcessTree":"C:\\Windows\\explorer.exe|C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe|C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe|C:\\Windows\\System32\\whoami.exe","Product":"Microsoft® Windows® Operating System","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Florian Roth (Nextron Systems)","Rule_Description":"Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation","Rule_FalsePositives":"Admin activity, Scripts and administrative tools used in the monitored environment, Monitoring activity","Rule_Id":"e28a5a99-da44-436d-b7a0-2afc20a5f413","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/process_creation/proc_creation_win_whoami_execution.yml","Rule_Modified":"2023/02/28","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_whoami_execution.yml","Rule_References":"https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/","Rule_Sigtype":"public","Rule_Title":"Whoami Utility Execution","Security_UserID":"S-1-5-21-3061066544-971859979-4169126676-1123","SessionID":"2","Task":"1","TimeCreated_SystemTime":"2023-03-23T19:15:22.3665418Z","TimeDateStamp":"0x578999C8","Timestamp":"2016-07-16T02:19:52","User":"ATTACKRANGE\\ELMER_SALAS","UtcTime":"2023-03-23 19:15:23","Version":"2","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-23T19:15:23Z"} 154100x800000000000000013100Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:23.146{C9DE9129-A54B-641C-A406-00000000D302}4708C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\elmer_salas\Downloads\ATTACKRANGE\ELMER_SALAS{C9DE9129-6B72-641C-5593-170000000000}0x1793552MediumMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{C9DE9129-74E3-641C-9002-00000000D302}1888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypassATTACKRANGE\ELMER_SALAS 410515102150x0141167Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141166Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locala980f126-7c73-41ea-9fdd-cd1163e20302a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141165Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141164Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141163Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locala980f126-7c73-41ea-9fdd-cd1163e20302a93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141162Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11prompta980f126-7c73-41ea-9fdd-cd1163e20302 410615103150x0141161Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141160Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141159Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locala4d3aecb-dc90-4cde-b1dc-27b890a76979a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141158Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.locala4d3aecb-dc90-4cde-b1dc-27b890a76979a93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141157Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11whoamia4d3aecb-dc90-4cde-b1dc-27b890a76979 410615103150x0141156Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 154100x800000000000000012585Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:15:22.109{8fd3d7d2-a54a-641c-ab06-000000004702}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000013099Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:22.356{C9DE9129-A54A-641C-A306-00000000D302}1044C:\Windows\System32\klist.exe10.0.14393.0 (rs1_release.160715-1616)Tool for managing the Kerberos ticket cacheMicrosoft® Windows® Operating SystemMicrosoft Corporationklist.exe"C:\Windows\system32\klist.exe" purgeC:\Users\elmer_salas\Downloads\ATTACKRANGE\ELMER_SALAS{C9DE9129-6B72-641C-5593-170000000000}0x1793552MediumMD5=1B4E8E3355E782F088EE2A2F54CE7D49,SHA256=4E05E47D6344D8693CF95B1B2F74FD0D372E054485924E8917E9A38A78505B11,IMPHASH=A0A80AE53522E99D3577B6DBDD68291D{C9DE9129-74E3-641C-9002-00000000D302}1888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypassATTACKRANGE\ELMER_SALAS 410515102150x0141155Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141154Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localf3be3bc0-88b7-45ac-85dd-d945a6a70c7ba93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141153Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141152Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141151Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localf3be3bc0-88b7-45ac-85dd-d945a6a70c7ba93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141150Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11promptf3be3bc0-88b7-45ac-85dd-d945a6a70c7b 410615103150x0141149Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141148Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141147Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local32c4dc21-5abc-45ef-9b74-c766bc821ffca93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141146Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local32c4dc21-5abc-45ef-9b74-c766bc821ffca93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141145Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11klist purge32c4dc21-5abc-45ef-9b74-c766bc821ffc 410615103150x0141144Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 154100x800000000000000012584Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:15:21.355{8fd3d7d2-a549-641c-aa06-000000004702}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 4634001254500x8020000000000000200164Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83ff0b3 4634001254500x8020000000000000200163Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8400153 4634001254500x8020000000000000200162Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8400643 4624201254400x8020000000000000200161Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8400ed3KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-fe80::25f1:ea03:8efd:c46250158%%1840---%%18430x0%%1842 4672001254800x8020000000000000200160Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8400edSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200159Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8400643KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-10.0.1.1450157%%1833---%%18430x0%%1842 4672001254800x8020000000000000200158Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x840064SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200157Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8400153KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000200156Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x840015SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200155Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x83ff0b3KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-fe80::25f1:ea03:8efd:c46250156%%1833---%%18430x0%%1842 4672001254800x8020000000000000200154Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83ff0bSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000013098Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:20.419{C9DE9129-A548-641C-A206-00000000D302}3468C:\Windows\System32\klist.exe10.0.14393.0 (rs1_release.160715-1616)Tool for managing the Kerberos ticket cacheMicrosoft® Windows® Operating SystemMicrosoft Corporationklist.exe"C:\Windows\system32\klist.exe" purgeC:\Users\elmer_salas\Downloads\ATTACKRANGE\ELMER_SALAS{C9DE9129-6B72-641C-5593-170000000000}0x1793552MediumMD5=1B4E8E3355E782F088EE2A2F54CE7D49,SHA256=4E05E47D6344D8693CF95B1B2F74FD0D372E054485924E8917E9A38A78505B11,IMPHASH=A0A80AE53522E99D3577B6DBDD68291D{C9DE9129-74E3-641C-9002-00000000D302}1888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypassATTACKRANGE\ELMER_SALAS 410515102150x0141143Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141142Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local94cdbba3-48cb-4517-8ec9-44acb17a233aa93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141141Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141140Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.localbbcae4cc-d247-495f-95a5-4e39afae330da93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141139Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local94cdbba3-48cb-4517-8ec9-44acb17a233aa93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141138Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11prompt94cdbba3-48cb-4517-8ec9-44acb17a233a 410615103150x0141137Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141136Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local533bc68c-3a3f-4241-961e-40d9adabfd85a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410615103150x0141135Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local15de373d-1ffe-499a-9a99-2747b4efd0d1a93a0f5d-dd2b-4bad-82c1-4a084022e47a 410515102150x0141134Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local15de373d-1ffe-499a-9a99-2747b4efd0d1a93a0f5d-dd2b-4bad-82c1-4a084022e47a 4104152150x0141133Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local11klist purge15de373d-1ffe-499a-9a99-2747b4efd0d1 410615103150x0141132Microsoft-Windows-PowerShell/Operationalar-win-3.attackrange.local0102a5ca-d496-4118-a14a-a4948485691fa93a0f5d-dd2b-4bad-82c1-4a084022e47a 7300x8000000000000027959Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"876","Execution_ThreadID":"2636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"876","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:14.1320373Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:16Z"} 7300x8000000000000027958Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"876","Execution_ThreadID":"2636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"876","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:14.1315569Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:16Z"} 7300x8000000000000027957Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"876","Execution_ThreadID":"3152","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"876","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:13.9097189Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:16Z"} 154100x800000000000000014189Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:15:16.609{0F843AFE-A544-641C-6406-00000000D302}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000014188Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:15:15.849{0F843AFE-A543-641C-6306-00000000D302}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012440Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:15:14.585{8FCC9F6C-A542-641C-6306-00000000D302}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014187Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:15:14.096{0F843AFE-A542-641C-6206-00000000D302}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027995Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"2312","Execution_ThreadID":"1540","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.6923193Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 7300x8000000000000027994Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"2312","Execution_ThreadID":"1540","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.6918499Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 7300x8000000000000027993Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB7E4B0000","EventID":"5","Execution_ProcessID":"2312","Execution_ThreadID":"3980","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB7E4B0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2312","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.4199239Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 154100x800000000000000012439Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:15:12.117{8FCC9F6C-A540-641C-6206-00000000D302}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:15:12.089{9792FEB4-A540-641C-6506-00000000D302}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014186Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:15:12.147{0F843AFE-A540-641C-6106-00000000D302}1820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027985Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"1012","Execution_ThreadID":"3484","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1012","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.2811509Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 7300x8000000000000027984Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"1012","Execution_ThreadID":"3484","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1012","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.2803935Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 7300x8000000000000027983Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"1012","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1012","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:11.0789085Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:12Z"} 154100x800000000000000012438Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:15:11.242{8FCC9F6C-A53F-641C-6106-00000000D302}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013097Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:10.721{C9DE9129-A53E-641C-A106-00000000D302}1528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012470Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:15:09.527{E6E25EEE-A53D-641C-6506-00000000D302}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027990Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3488","Execution_ThreadID":"3996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:10.3346411Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:09Z"} 7300x8000000000000027989Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3488","Execution_ThreadID":"3996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:10.3330453Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:09Z"} 7300x8000000000000027988Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3488","Execution_ThreadID":"1344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3488","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:10.1076344Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:09Z"} 154100x800000000000000012469Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:15:09.299{CAB910BF-A53D-641C-6306-00000000D302}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012469Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:15:08.765{E6E25EEE-A53C-641C-6406-00000000D302}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012468Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:15:08.544{CAB910BF-A53C-641C-6206-00000000D302}2364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012431Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:15:08.632{B5208300-A53C-641C-6306-00000000D302}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012447Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:15:08.997{9792FEB4-A53C-641C-6406-00000000D302}2340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012446Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:15:08.229{9792FEB4-A53C-641C-6306-00000000D302}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013096Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:08.543{C9DE9129-A53C-641C-A006-00000000D302}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028108Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"4940","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:07.2261275Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:08Z"} 7300x8000000000000028107Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"4940","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:07.2256642Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:08Z"} 7300x8000000000000028106Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"4340","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:07.0031212Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:08Z"} 154100x800000000000000012430Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:15:07.805{B5208300-A53B-641C-6206-00000000D302}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013095Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:15:07.775{C9DE9129-A53B-641C-9F06-00000000D302}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028002Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"1424","Execution_ThreadID":"2740","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1424","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:06.492394Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:07Z"} 7300x8000000000000028001Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"1424","Execution_ThreadID":"2740","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1424","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:06.4912835Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:07Z"} 7300x8000000000000028000Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"1424","Execution_ThreadID":"2276","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1424","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:06.257725Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:07Z"} 154100x800000000000000012467Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:15:06.682{CAB910BF-A53A-641C-6106-00000000D302}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141638Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012468Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:15:05.509{E6E25EEE-A539-641C-6306-00000000D302}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000141042Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027970Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3464","Execution_ThreadID":"912","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3464","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:05.8455492Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:05Z"} 7300x8000000000000027969Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3464","Execution_ThreadID":"912","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3464","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:05.8451261Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:05Z"} 7300x8000000000000027968Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDB0EC0000","EventID":"5","Execution_ProcessID":"3464","Execution_ThreadID":"3980","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDB0EC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3464","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:15:05.6851796Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:15:05Z"} 154100x800000000000000012467Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:15:04.692{E6E25EEE-A538-641C-6206-00000000D302}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012429Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:15:04.791{B5208300-A538-641C-6106-00000000D302}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012466Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:15:03.219{CAB910BF-A537-641C-6006-00000000D302}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:15:02.735{B5208300-A536-641C-6006-00000000D302}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141637Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141040Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4634001254500x8020000000000000200153Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83d5a83 4624201254400x8020000000000000200152Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x83d5a83KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46250155%%1833---%%18430x0%%1842 4672001254800x8020000000000000200151Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83d5a8SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000200150Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83d52a3 4624201254400x8020000000000000200149Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x83d52a3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46250154%%1833---%%18430x0%%1842 4672001254800x8020000000000000200148Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83d52aSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000014562Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:14:40.184{54d3457e-a520-641c-ac06-000000004602}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200146Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83c5273 4624201254400x8020000000000000200145Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x83c5273KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150152%%1833---%%18430x0%%1842 4672001254800x8020000000000000200144Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x83c527SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012437Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:14:39.632{8FCC9F6C-A51F-641C-6006-00000000D302}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014185Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:14:39.300{0F843AFE-A51F-641C-6006-00000000D302}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012436Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:14:38.880{8FCC9F6C-A51E-641C-5F06-00000000D302}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012597Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:14:37.400{94bfb0cf-a51d-641c-a606-000000004702}1388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014561Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:14:37.056{54d3457e-a51d-641c-ab06-000000004602}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012596Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:14:36.647{94bfb0cf-a51c-641c-a506-000000004702}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014560Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:14:36.318{54d3457e-a51c-641c-aa06-000000004602}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012445Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:14:36.345{9792FEB4-A51C-641C-6206-00000000D302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013094Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:14:36.246{C9DE9129-A51C-641C-9E06-00000000D302}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012595Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:14:35.883{94bfb0cf-a51b-641c-a406-000000004702}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012444Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:14:35.593{9792FEB4-A51B-641C-6106-00000000D302}3860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013093Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:14:35.489{C9DE9129-A51B-641C-9D06-00000000D302}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012594Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:14:35.133{94bfb0cf-a51b-641c-a306-000000004702}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014559Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:14:35.088{54d3457e-a51b-641c-a906-000000004602}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012593Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:14:34.373{94bfb0cf-a51a-641c-a206-000000004702}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014558Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:14:34.214{54d3457e-a51a-641c-a806-000000004602}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012466Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:14:32.318{E6E25EEE-A518-641C-6106-00000000D302}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012465Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:14:31.773{CAB910BF-A517-641C-5F06-00000000D302}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:14:30.003{B5208300-A516-641C-5F06-00000000D302}2480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012583Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:14:25.682{8fd3d7d2-a511-641c-a906-000000004702}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012582Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:14:24.576{8fd3d7d2-a510-641c-a806-000000004702}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012581Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:14:23.619{8fd3d7d2-a50f-641c-a706-000000004702}4460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012580Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:14:22.103{8fd3d7d2-a50e-641c-a606-000000004702}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012579Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:14:21.352{8fd3d7d2-a50d-641c-a506-000000004702}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 7300x8000000000000027956Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"2840","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2840","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:14.0798286Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:17Z"} 7300x8000000000000027955Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"2840","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2840","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:14.0793584Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:17Z"} 154100x800000000000000014184Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:14:16.437{0F843AFE-A508-641C-5F06-00000000D302}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027954Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"2840","Execution_ThreadID":"2500","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2840","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:13.9027778Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:16Z"} 154100x800000000000000014183Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:14:15.839{0F843AFE-A507-641C-5E06-00000000D302}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012435Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:14:14.591{8FCC9F6C-A506-641C-5E06-00000000D302}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014182Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:14:14.081{0F843AFE-A506-641C-5D06-00000000D302}1760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027982Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2868","Execution_ThreadID":"2336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2868","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.2454104Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:13Z"} 7300x8000000000000027981Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2868","Execution_ThreadID":"2336","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2868","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.2432567Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:13Z"} 7300x8000000000000027992Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3776","Execution_ThreadID":"436","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3776","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.6012977Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:12Z"} 7300x8000000000000027991Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3776","Execution_ThreadID":"436","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3776","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.5993554Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:12Z"} 7300x8000000000000027990Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB7E4B0000","EventID":"5","Execution_ProcessID":"3776","Execution_ThreadID":"4068","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB7E4B0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3776","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.3780186Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:12Z"} 154100x800000000000000012434Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:14:12.076{8FCC9F6C-A504-641C-5D06-00000000D302}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012443Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:14:12.079{9792FEB4-A504-641C-6006-00000000D302}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014181Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:14:12.147{0F843AFE-A504-641C-5C06-00000000D302}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027980Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2868","Execution_ThreadID":"3644","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2868","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:11.0726265Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:12Z"} 154100x800000000000000012433Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:14:11.227{8FCC9F6C-A503-641C-5C06-00000000D302}1512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013092Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:14:10.715{C9DE9129-A502-641C-9C06-00000000D302}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012465Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:14:09.525{E6E25EEE-A501-641C-6006-00000000D302}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027987Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"2824","Execution_ThreadID":"3160","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:10.2902674Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:09Z"} 7300x8000000000000027986Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"2824","Execution_ThreadID":"3160","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:10.2898258Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:09Z"} 7300x8000000000000027985Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"2824","Execution_ThreadID":"4080","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:10.1052784Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:09Z"} 154100x800000000000000012464Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:14:09.285{CAB910BF-A501-641C-5E06-00000000D302}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012464Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:14:08.766{E6E25EEE-A500-641C-5F06-00000000D302}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012463Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:14:08.532{CAB910BF-A500-641C-5D06-00000000D302}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012426Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:14:08.555{B5208300-A500-641C-5E06-00000000D302}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012442Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:14:08.972{9792FEB4-A500-641C-5F06-00000000D302}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012441Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:14:08.219{9792FEB4-A500-641C-5E06-00000000D302}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000028105Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4324","Execution_ThreadID":"4700","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4324","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:07.2228892Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:08Z"} 7300x8000000000000028104Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4324","Execution_ThreadID":"4700","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4324","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:07.2222597Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:08Z"} 154100x800000000000000013091Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:14:08.526{C9DE9129-A500-641C-9B06-00000000D302}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012425Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:14:07.804{B5208300-A4FF-641C-5D06-00000000D302}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013090Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:14:07.777{C9DE9129-A4FF-641C-9A06-00000000D302}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027999Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"1128","Execution_ThreadID":"1200","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1128","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:06.4879731Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:07Z"} 7300x8000000000000027998Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"1128","Execution_ThreadID":"1200","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1128","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:06.4872432Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:07Z"} 7300x8000000000000027997Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC50000","EventID":"5","Execution_ProcessID":"1128","Execution_ThreadID":"3928","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC50000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1128","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:06.2501027Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:07Z"} 7300x8000000000000028103Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"4324","Execution_ThreadID":"4636","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4324","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:07.0081866Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:07Z"} 154100x800000000000000012462Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:14:06.670{CAB910BF-A4FE-641C-5C06-00000000D302}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027967Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"4016","Execution_ThreadID":"2492","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4016","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:05.814164Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:06Z"} 7300x8000000000000027966Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"4016","Execution_ThreadID":"2492","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4016","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:05.8137335Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:06Z"} 154100x800000000000000012463Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:14:05.511{E6E25EEE-A4FD-641C-5E06-00000000D302}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000141626Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141029Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012462Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:14:04.693{E6E25EEE-A4FC-641C-5D06-00000000D302}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012424Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:14:04.768{B5208300-A4FC-641C-5C06-00000000D302}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027965Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA92C0000","EventID":"5","Execution_ProcessID":"3888","Execution_ThreadID":"704","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA92C0000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3888","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:14:03.6346154Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:14:03Z"} 154100x800000000000000012461Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:14:03.220{CAB910BF-A4FB-641C-5B06-00000000D302}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012423Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:14:02.726{B5208300-A4FA-641C-5B06-00000000D302}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141625Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141028Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014557Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:13:40.167{54d3457e-a4e4-641c-a706-000000004602}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200138Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x835df53 4624201254400x8020000000000000200137Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x835df53KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150151%%1833---%%18430x0%%1842 4672001254800x8020000000000000200136Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x835df5SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012432Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:13:39.780{8FCC9F6C-A4E3-641C-5B06-00000000D302}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014180Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:13:39.282{0F843AFE-A4E3-641C-5B06-00000000D302}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012431Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:13:38.887{8FCC9F6C-A4E2-641C-5A06-00000000D302}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012592Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:13:37.325{94bfb0cf-a4e1-641c-a106-000000004702}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014556Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:13:37.080{54d3457e-a4e1-641c-a606-000000004602}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012591Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:13:36.678{94bfb0cf-a4e0-641c-a006-000000004702}4724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014555Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:13:36.317{54d3457e-a4e0-641c-a506-000000004602}464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012440Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:13:36.341{9792FEB4-A4E0-641C-5D06-00000000D302}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013089Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:13:36.241{C9DE9129-A4E0-641C-9906-00000000D302}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012590Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:13:35.922{94bfb0cf-a4df-641c-9f06-000000004702}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012589Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:13:35.157{94bfb0cf-a4df-641c-9e06-000000004702}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012439Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:13:35.580{9792FEB4-A4DF-641C-5C06-00000000D302}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013088Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:13:35.465{C9DE9129-A4DF-641C-9806-00000000D302}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014554Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:13:35.076{54d3457e-a4df-641c-a406-000000004602}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012588Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:13:34.413{94bfb0cf-a4de-641c-9d06-000000004702}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014553Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:13:34.207{54d3457e-a4de-641c-a306-000000004602}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012461Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:13:32.323{E6E25EEE-A4DC-641C-5C06-00000000D302}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:13:31.772{CAB910BF-A4DB-641C-5A06-00000000D302}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012422Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:13:29.999{B5208300-A4D9-641C-5A06-00000000D302}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012578Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:13:25.669{8fd3d7d2-a4d5-641c-a406-000000004702}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012577Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:13:24.578{8fd3d7d2-a4d4-641c-a306-000000004702}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012576Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:13:23.676{8fd3d7d2-a4d3-641c-a206-000000004702}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012575Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:13:22.111{8fd3d7d2-a4d2-641c-a106-000000004702}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012574Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:13:21.360{8fd3d7d2-a4d1-641c-a006-000000004702}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014179Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:13:16.442{0F843AFE-A4CC-641C-5A06-00000000D302}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027953Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"3300","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:14.3166588Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:16Z"} 7300x8000000000000027952Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"3300","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:14.3158793Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:16Z"} 7300x8000000000000027951Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"2328","Execution_ThreadID":"328","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2328","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:13.8883517Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:16Z"} 154100x800000000000000014178Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:13:15.818{0F843AFE-A4CB-641C-5906-00000000D302}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012430Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:13:14.583{8FCC9F6C-A4CA-641C-5906-00000000D302}2224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014177Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:13:14.082{0F843AFE-A4CA-641C-5806-00000000D302}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027979Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2708","Execution_ThreadID":"4036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2708","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.2576106Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:13Z"} 7300x8000000000000027978Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2708","Execution_ThreadID":"4036","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2708","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.2569311Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:13Z"} 7300x8000000000000027989Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3612","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.5563614Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:12Z"} 7300x8000000000000027988Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3612","Execution_ThreadID":"4028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.5558929Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:12Z"} 7300x8000000000000027987Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80AF0000","EventID":"5","Execution_ProcessID":"3612","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80AF0000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.3676796Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:12Z"} 154100x800000000000000012429Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:13:12.068{8FCC9F6C-A4C8-641C-5806-00000000D302}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012438Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:13:12.071{9792FEB4-A4C8-641C-5B06-00000000D302}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014176Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:13:12.131{0F843AFE-A4C8-641C-5706-00000000D302}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027977Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2708","Execution_ThreadID":"2900","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2708","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:11.0671633Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:12Z"} 154100x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:13:11.208{8FCC9F6C-A4C7-641C-5706-00000000D302}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013087Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:13:10.699{C9DE9129-A4C6-641C-9706-00000000D302}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012460Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:13:09.516{E6E25EEE-A4C5-641C-5B06-00000000D302}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027984Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3516","Execution_ThreadID":"464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3516","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:10.2478093Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:09Z"} 7300x8000000000000027983Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3516","Execution_ThreadID":"464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3516","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:10.2461512Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:09Z"} 7300x8000000000000027982Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3516","Execution_ThreadID":"2768","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3516","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:10.1009674Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:09Z"} 154100x800000000000000012459Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:13:09.409{CAB910BF-A4C5-641C-5906-00000000D302}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012459Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:13:08.763{E6E25EEE-A4C4-641C-5A06-00000000D302}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012458Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:13:08.521{CAB910BF-A4C4-641C-5806-00000000D302}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012421Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:13:08.554{B5208300-A4C4-641C-5906-00000000D302}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012437Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:13:08.956{9792FEB4-A4C4-641C-5A06-00000000D302}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012436Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:13:08.216{9792FEB4-A4C4-641C-5906-00000000D302}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000028102Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"1852","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:07.1784441Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:08Z"} 7300x8000000000000028101Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"1852","Execution_ThreadID":"3156","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:07.1778272Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:08Z"} 7300x8000000000000028100Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"1852","Execution_ThreadID":"3616","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:07.00505Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:08Z"} 154100x800000000000000013086Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:13:08.510{C9DE9129-A4C4-641C-9606-00000000D302}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012420Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:13:07.806{B5208300-A4C3-641C-5806-00000000D302}700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013085Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:13:07.767{C9DE9129-A4C3-641C-9506-00000000D302}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027996Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"1824","Execution_ThreadID":"1192","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:06.5050204Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:07Z"} 7300x8000000000000027995Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"1824","Execution_ThreadID":"1192","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:06.5043695Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:07Z"} 154100x800000000000000012457Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:13:06.656{CAB910BF-A4C2-641C-5706-00000000D302}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027994Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"1824","Execution_ThreadID":"3304","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1824","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:06.2284875Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:06Z"} 154100x800000000000000012458Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:13:05.510{E6E25EEE-A4C1-641C-5906-00000000D302}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027964Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3436","Execution_ThreadID":"316","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3436","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:05.8524824Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:05Z"} 7300x8000000000000027963Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3436","Execution_ThreadID":"316","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3436","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:05.8520359Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:05Z"} 4673001305600x8010000000000000141017Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012457Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:13:04.693{E6E25EEE-A4C0-641C-5806-00000000D302}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012419Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:13:04.779{B5208300-A4C0-641C-5706-00000000D302}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027962Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"600","Execution_ThreadID":"1820","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"600","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:13:03.6187203Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:13:03Z"} 154100x800000000000000012456Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:13:03.222{CAB910BF-A4BF-641C-5606-00000000D302}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012418Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:13:02.726{B5208300-A4BE-641C-5606-00000000D302}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141016Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014552Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:12:40.149{54d3457e-a4a8-641c-a206-000000004602}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200130Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x82e8a63 4624201254400x8020000000000000200129Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x82e8a63KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150150%%1833---%%18430x0%%1842 4672001254800x8020000000000000200128Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x82e8a6SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:12:39.635{8FCC9F6C-A4A7-641C-5606-00000000D302}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014175Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:12:39.258{0F843AFE-A4A7-641C-5606-00000000D302}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012426Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:12:38.883{8FCC9F6C-A4A6-641C-5506-00000000D302}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012587Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:12:37.378{94bfb0cf-a4a5-641c-9c06-000000004702}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014551Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:12:37.059{54d3457e-a4a5-641c-a106-000000004602}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012586Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:12:36.689{94bfb0cf-a4a4-641c-9b06-000000004702}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014550Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:12:36.315{54d3457e-a4a4-641c-a006-000000004602}4864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012435Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:12:36.324{9792FEB4-A4A4-641C-5806-00000000D302}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013084Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:12:36.205{C9DE9129-A4A4-641C-9406-00000000D302}2928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012585Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:12:35.929{94bfb0cf-a4a3-641c-9a06-000000004702}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012584Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:12:35.186{94bfb0cf-a4a3-641c-9906-000000004702}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012434Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:12:35.566{9792FEB4-A4A3-641C-5706-00000000D302}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013083Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:12:35.446{C9DE9129-A4A3-641C-9306-00000000D302}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014549Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:12:35.064{54d3457e-a4a3-641c-9f06-000000004602}1604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012583Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:12:34.440{94bfb0cf-a4a2-641c-9806-000000004702}2180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014548Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:12:34.191{54d3457e-a4a2-641c-9e06-000000004602}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012456Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:12:32.323{E6E25EEE-A4A0-641C-5706-00000000D302}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012455Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:12:31.773{CAB910BF-A49F-641C-5506-00000000D302}192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012417Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:12:29.992{B5208300-A49D-641C-5506-00000000D302}680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012573Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:12:25.678{8fd3d7d2-a499-641c-9f06-000000004702}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012572Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:12:24.581{8fd3d7d2-a498-641c-9e06-000000004702}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012571Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:12:23.692{8fd3d7d2-a497-641c-9d06-000000004702}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012570Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:12:22.113{8fd3d7d2-a496-641c-9c06-000000004702}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012569Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:12:21.358{8fd3d7d2-a495-641c-9b06-000000004702}2156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014174Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:12:16.686{0F843AFE-A490-641C-5506-00000000D302}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027950Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"664","Execution_ThreadID":"2752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:14.2305652Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:16Z"} 7300x8000000000000027949Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"664","Execution_ThreadID":"2752","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:14.2287224Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:16Z"} 7300x8000000000000027948Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"664","Execution_ThreadID":"1812","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"664","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:13.8790354Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:16Z"} 154100x800000000000000014173Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:12:15.805{0F843AFE-A48F-641C-5406-00000000D302}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012425Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:12:14.568{8FCC9F6C-A48E-641C-5406-00000000D302}1352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014172Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:12:14.069{0F843AFE-A48E-641C-5306-00000000D302}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027986Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3456","Execution_ThreadID":"2268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3456","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.6086283Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:13Z"} 7300x8000000000000027985Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3456","Execution_ThreadID":"2268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3456","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.6079651Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:13Z"} 7300x8000000000000027984Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80AF0000","EventID":"5","Execution_ProcessID":"3456","Execution_ThreadID":"2804","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80AF0000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3456","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.3856666Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:13Z"} 154100x800000000000000012424Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:12:12.085{8FCC9F6C-A48C-641C-5306-00000000D302}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012433Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:12:12.052{9792FEB4-A48C-641C-5606-00000000D302}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014171Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:12:12.114{0F843AFE-A48C-641C-5206-00000000D302}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027976Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"940","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"940","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.2372639Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:12Z"} 7300x8000000000000027975Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"940","Execution_ThreadID":"3588","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"940","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.2367175Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:12Z"} 7300x8000000000000027974Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"940","Execution_ThreadID":"2860","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"940","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:11.0515422Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:12Z"} 154100x800000000000000012423Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:12:11.209{8FCC9F6C-A48B-641C-5206-00000000D302}300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013082Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:12:10.689{C9DE9129-A48A-641C-9206-00000000D302}4780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012455Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:12:09.494{E6E25EEE-A489-641C-5606-00000000D302}1844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027981Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"2420","Execution_ThreadID":"2464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2420","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:10.2517025Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:09Z"} 7300x8000000000000027980Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"2420","Execution_ThreadID":"2464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2420","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:10.2512413Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:09Z"} 7300x8000000000000027979Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"2420","Execution_ThreadID":"2596","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2420","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:10.0818214Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:09Z"} 154100x800000000000000012454Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:12:09.278{CAB910BF-A489-641C-5406-00000000D302}920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012454Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:12:08.744{E6E25EEE-A488-641C-5506-00000000D302}2420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012416Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:12:08.544{B5208300-A488-641C-5406-00000000D302}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012453Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:12:08.524{CAB910BF-A488-641C-5306-00000000D302}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012432Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:12:08.957{9792FEB4-A488-641C-5506-00000000D302}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012431Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:12:08.200{9792FEB4-A488-641C-5406-00000000D302}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013081Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:12:08.529{C9DE9129-A488-641C-9106-00000000D302}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028099Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"3068","Execution_ThreadID":"4004","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3068","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:07.2473682Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:08Z"} 7300x8000000000000028098Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"3068","Execution_ThreadID":"4004","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3068","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:07.2460104Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:08Z"} 7300x8000000000000028097Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"3068","Execution_ThreadID":"700","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3068","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:07.0098029Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:08Z"} 154100x800000000000000012415Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:12:07.795{B5208300-A487-641C-5306-00000000D302}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027993Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"3048","Execution_ThreadID":"664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3048","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:06.5273233Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:07Z"} 7300x8000000000000027992Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"3048","Execution_ThreadID":"664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3048","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:06.5262076Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:07Z"} 154100x800000000000000013080Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:12:07.766{C9DE9129-A487-641C-9006-00000000D302}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:12:06.649{CAB910BF-A486-641C-5206-00000000D302}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141603Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012453Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:12:05.489{E6E25EEE-A485-641C-5406-00000000D302}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000141004Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027961Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3480","Execution_ThreadID":"1248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3480","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:05.8157593Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:05Z"} 7300x8000000000000027960Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3480","Execution_ThreadID":"1248","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3480","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:05.815242Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:05Z"} 7300x8000000000000027959Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDB0E80000","EventID":"5","Execution_ProcessID":"3480","Execution_ThreadID":"3280","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDB0E80000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3480","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:05.6479375Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:05Z"} 154100x800000000000000012452Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:12:04.685{E6E25EEE-A484-641C-5306-00000000D302}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012414Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:12:04.753{B5208300-A484-641C-5206-00000000D302}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027991Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF9605A0000","EventID":"5","Execution_ProcessID":"3584","Execution_ThreadID":"3484","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF9605A0000","ImageCheckSum":"172443","ImageLoaded":"\\Windows\\System32\\bcrypt.dll","ImageName":"\\Windows\\System32\\bcrypt.dll","ImageSize":"0x2B000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\bcrypt.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:12:02.8352863Z","TimeDateStamp":"1672975272","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:12:04Z"} 154100x800000000000000012451Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:12:03.226{CAB910BF-A483-641C-5106-00000000D302}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012413Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:12:02.718{B5208300-A482-641C-5106-00000000D302}464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141602Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000141003Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4634001254500x8020000000000000200122Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8280cb3 4624201254400x8020000000000000200121Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8280cb3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150149%%1833---%%18430x0%%1842 4672001254800x8020000000000000200120Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8280cbSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000014547Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:11:40.132{54d3457e-a46c-641c-9d06-000000004602}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012422Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:11:39.621{8FCC9F6C-A46B-641C-5106-00000000D302}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014170Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:11:39.239{0F843AFE-A46B-641C-5106-00000000D302}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012421Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:11:38.874{8FCC9F6C-A46A-641C-5006-00000000D302}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012582Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:11:37.383{94bfb0cf-a469-641c-9706-000000004702}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014546Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:11:37.055{54d3457e-a469-641c-9c06-000000004602}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012581Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:11:36.609{94bfb0cf-a468-641c-9606-000000004702}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014545Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:11:36.303{54d3457e-a468-641c-9b06-000000004602}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012430Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:11:36.321{9792FEB4-A468-641C-5306-00000000D302}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013079Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:11:36.214{C9DE9129-A468-641C-8F06-00000000D302}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012580Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:11:35.858{94bfb0cf-a467-641c-9506-000000004702}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012429Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:11:35.561{9792FEB4-A467-641C-5206-00000000D302}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012579Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:11:35.219{94bfb0cf-a467-641c-9406-000000004702}460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013078Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:11:35.442{C9DE9129-A467-641C-8E06-00000000D302}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014544Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:11:35.065{54d3457e-a467-641c-9a06-000000004602}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012578Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:11:34.454{94bfb0cf-a466-641c-9306-000000004702}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014543Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:11:34.188{54d3457e-a466-641c-9906-000000004602}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012451Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:11:32.322{E6E25EEE-A464-641C-5206-00000000D302}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012450Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:11:31.768{CAB910BF-A463-641C-5006-00000000D302}2328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012412Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:11:29.984{B5208300-A461-641C-5006-00000000D302}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012568Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:11:25.684{8fd3d7d2-a45d-641c-9a06-000000004702}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012567Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:11:24.579{8fd3d7d2-a45c-641c-9906-000000004702}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012566Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:11:23.704{8fd3d7d2-a45b-641c-9806-000000004702}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012565Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:11:22.143{8fd3d7d2-a45a-641c-9706-000000004702}5096C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012564Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:11:21.370{8fd3d7d2-a459-641c-9606-000000004702}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 7300x8000000000000027947Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"1396","Execution_ThreadID":"3328","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:14.1417764Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:16Z"} 7300x8000000000000027946Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"1396","Execution_ThreadID":"3328","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:14.1404599Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:16Z"} 154100x800000000000000014169Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:11:16.559{0F843AFE-A454-641C-5006-00000000D302}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027945Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"1396","Execution_ThreadID":"1464","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:13.8829577Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:16Z"} 154100x800000000000000014168Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:11:15.803{0F843AFE-A453-641C-4F06-00000000D302}1396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012420Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:11:14.571{8FCC9F6C-A452-641C-4F06-00000000D302}2712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014167Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:11:14.050{0F843AFE-A452-641C-4E06-00000000D302}256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027973Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2576","Execution_ThreadID":"3124","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2576","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.2489431Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:13Z"} 7300x8000000000000027972Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2576","Execution_ThreadID":"3124","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2576","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.2483566Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:13Z"} 7300x8000000000000027983Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"4000","Execution_ThreadID":"624","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4000","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.6514236Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:12Z"} 7300x8000000000000027982Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"4000","Execution_ThreadID":"624","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4000","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.6509293Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:12Z"} 7300x8000000000000027981Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80B40000","EventID":"5","Execution_ProcessID":"4000","Execution_ThreadID":"3236","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80B40000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4000","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.3910835Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:12Z"} 154100x800000000000000012419Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:11:12.096{8FCC9F6C-A450-641C-4E06-00000000D302}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:11:12.042{9792FEB4-A450-641C-5106-00000000D302}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014166Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:11:12.121{0F843AFE-A450-641C-4D06-00000000D302}3648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027971Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2576","Execution_ThreadID":"2952","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2576","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:11.0445418Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:12Z"} 154100x800000000000000012418Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:11:11.215{8FCC9F6C-A44F-641C-4D06-00000000D302}3892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013077Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:11:10.669{C9DE9129-A44E-641C-8D06-00000000D302}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027978Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3080","Execution_ThreadID":"2000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3080","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:10.2386557Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:09Z"} 7300x8000000000000027977Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3080","Execution_ThreadID":"2000","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3080","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:10.2381199Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:09Z"} 154100x800000000000000012450Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:11:09.376{E6E25EEE-A44D-641C-5106-00000000D302}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012449Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:11:09.278{CAB910BF-A44D-641C-4F06-00000000D302}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012449Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:11:08.738{E6E25EEE-A44C-641C-5006-00000000D302}3080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027976Applicationar-win-5.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3080","Execution_ThreadID":"1920","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3080","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:10.0739662Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:08Z"} 154100x800000000000000012411Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:11:08.565{B5208300-A44C-641C-4F06-00000000D302}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:11:08.520{CAB910BF-A44C-641C-4E06-00000000D302}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:11:08.945{9792FEB4-A44C-641C-5006-00000000D302}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012426Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:11:08.195{9792FEB4-A44C-641C-4F06-00000000D302}2204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013076Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:11:08.498{C9DE9129-A44C-641C-8C06-00000000D302}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028096Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4632","Execution_ThreadID":"1168","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4632","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:07.2148595Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:08Z"} 7300x8000000000000028095Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4632","Execution_ThreadID":"1168","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4632","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:07.2143524Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:08Z"} 7300x8000000000000028094Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"4632","Execution_ThreadID":"3028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4632","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:06.9981483Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:08Z"} 154100x800000000000000012410Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:11:07.798{B5208300-A44B-641C-4E06-00000000D302}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013075Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:11:07.748{C9DE9129-A44B-641C-8B06-00000000D302}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027990Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"1432","Execution_ThreadID":"2536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1432","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:06.5127316Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:07Z"} 7300x8000000000000027989Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"1432","Execution_ThreadID":"2536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1432","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:06.5081489Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:07Z"} 7300x8000000000000027988Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95D5D0000","EventID":"5","Execution_ProcessID":"1432","Execution_ThreadID":"3300","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95D5D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1432","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:06.1935835Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:07Z"} 154100x800000000000000012447Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:11:06.624{CAB910BF-A44A-641C-4D06-00000000D302}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141591Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012448Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:11:05.483{E6E25EEE-A449-641C-4F06-00000000D302}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027958Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3928","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:05.8341952Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:05Z"} 7300x8000000000000027957Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3928","Execution_ThreadID":"2936","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:05.8336562Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:05Z"} 4673001305600x8010000000000000140992Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012447Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:11:04.672{E6E25EEE-A448-641C-4E06-00000000D302}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012409Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:11:04.745{B5208300-A448-641C-4D06-00000000D302}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 7300x8000000000000027956Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"2672","Execution_ThreadID":"3544","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2672","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:11:03.5972808Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:11:03Z"} 154100x800000000000000012446Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:11:03.224{CAB910BF-A447-641C-4C06-00000000D302}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012408Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:11:02.701{B5208300-A446-641C-4C06-00000000D302}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141590Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000140991Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014542Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:10:40.135{54d3457e-a430-641c-9806-000000004602}1796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200114Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8219bb3 4624201254400x8020000000000000200113Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8219bb3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150148%%1833---%%18430x0%%1842 4672001254800x8020000000000000200112Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8219bbSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012417Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:10:39.765{8FCC9F6C-A42F-641C-4C06-00000000D302}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014165Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:10:39.218{0F843AFE-A42F-641C-4C06-00000000D302}1176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012416Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:10:38.870{8FCC9F6C-A42E-641C-4B06-00000000D302}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012577Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:10:37.488{94bfb0cf-a42d-641c-9206-000000004702}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014541Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:10:37.059{54d3457e-a42d-641c-9706-000000004602}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012576Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:10:36.736{94bfb0cf-a42c-641c-9106-000000004702}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014540Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:10:36.288{54d3457e-a42c-641c-9606-000000004602}4588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012425Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:10:36.319{9792FEB4-A42C-641C-4E06-00000000D302}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013074Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:10:36.193{C9DE9129-A42C-641C-8A06-00000000D302}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012575Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:10:35.986{94bfb0cf-a42b-641c-9006-000000004702}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012424Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:10:35.564{9792FEB4-A42B-641C-4D06-00000000D302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012574Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:10:35.227{94bfb0cf-a42b-641c-8f06-000000004702}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000013073Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:10:35.444{C9DE9129-A42B-641C-8906-00000000D302}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014539Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:10:35.061{54d3457e-a42b-641c-9506-000000004602}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012573Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:10:34.477{94bfb0cf-a42a-641c-8e06-000000004702}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014538Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:10:34.158{54d3457e-a42a-641c-9406-000000004602}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012446Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:10:32.309{E6E25EEE-A428-641C-4D06-00000000D302}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012445Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:10:31.753{CAB910BF-A427-641C-4B06-00000000D302}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 4634001254500x8020000000000000200107Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e7323 154100x800000000000000012407Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:10:29.972{B5208300-A425-641C-4B06-00000000D302}2020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012563Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:10:25.698{8fd3d7d2-a421-641c-9506-000000004702}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012562Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:10:24.592{8fd3d7d2-a420-641c-9406-000000004702}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012561Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:10:23.713{8fd3d7d2-a41f-641c-9306-000000004702}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012560Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:10:22.129{8fd3d7d2-a41e-641c-9206-000000004702}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012559Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:10:21.376{8fd3d7d2-a41d-641c-9106-000000004702}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 4634001254500x8020000000000000200106Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e5523 4634001254500x8020000000000000200105Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e65c3 4634001254500x8020000000000000200104Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e6ab3 4624201254400x8020000000000000200103Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81e7323KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-fe80::25f1:ea03:8efd:c46250147%%1840---%%18430x0%%1842 4672001254800x8020000000000000200102Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e732SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200101Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81e6ab3KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-10.0.1.1450146%%1833---%%18430x0%%1842 4672001254800x8020000000000000200100Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e6abSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200099Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81e65c3KerberosKerberos-{fe9d7c79-1bdf-b551-09b2-4e22da451fa4}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000200098Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e65cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000200097Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81e5523KerberosKerberos-{fad598a9-cc93-6d0b-7561-50e9b8cbbdca}--00x0-fe80::25f1:ea03:8efd:c46250145%%1833---%%18430x0%%1842 4672001254800x8020000000000000200096Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81e552SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 7300x8000000000000027944Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"3588","Execution_ThreadID":"3244","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3588","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:14.0955916Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:16Z"} 7300x8000000000000027943Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"3588","Execution_ThreadID":"3244","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3588","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:14.0948183Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:16Z"} 154100x800000000000000014164Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:10:16.541{0F843AFE-A418-641C-4B06-00000000D302}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000014163Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:10:15.774{0F843AFE-A417-641C-4A06-00000000D302}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027942Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"3588","Execution_ThreadID":"3688","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3588","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:13.858682Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:15Z"} 154100x800000000000000012415Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:10:14.581{8FCC9F6C-A416-641C-4A06-00000000D302}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014162Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:10:14.044{0F843AFE-A416-641C-4906-00000000D302}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027980Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3232","Execution_ThreadID":"3716","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3232","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.5884438Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:13Z"} 7300x8000000000000027979Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3232","Execution_ThreadID":"3716","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3232","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.5878692Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:13Z"} 7300x8000000000000027978Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80AF0000","EventID":"5","Execution_ProcessID":"3232","Execution_ThreadID":"3544","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80AF0000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3232","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.3825713Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:13Z"} 154100x800000000000000012414Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:10:12.089{8FCC9F6C-A414-641C-4906-00000000D302}3232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012423Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:10:12.031{9792FEB4-A414-641C-4C06-00000000D302}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000027970Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"3988","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.1934462Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:12Z"} 7300x8000000000000027969Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"3988","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.1929342Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:12Z"} 7300x8000000000000027968Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"2244","Execution_ThreadID":"3896","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2244","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:11.0360472Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:12Z"} 154100x800000000000000014161Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:10:12.086{0F843AFE-A414-641C-4806-00000000D302}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012413Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:10:11.203{8FCC9F6C-A413-641C-4806-00000000D302}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013072Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:10:10.647{C9DE9129-A412-641C-8806-00000000D302}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012445Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:10:09.472{E6E25EEE-A411-641C-4C06-00000000D302}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027975Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3852","Execution_ThreadID":"692","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:10.2637703Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:09Z"} 7300x8000000000000027974Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3852","Execution_ThreadID":"692","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:10.2631592Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:09Z"} 7300x8000000000000027973Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3852","Execution_ThreadID":"2432","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:10.0559256Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:09Z"} 154100x800000000000000012444Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:10:09.281{CAB910BF-A411-641C-4A06-00000000D302}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012444Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:10:08.722{E6E25EEE-A410-641C-4B06-00000000D302}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012406Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:10:08.557{B5208300-A410-641C-4A06-00000000D302}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012443Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:10:08.522{CAB910BF-A410-641C-4906-00000000D302}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012422Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:10:08.955{9792FEB4-A410-641C-4B06-00000000D302}4052C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012421Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:10:08.186{9792FEB4-A410-641C-4A06-00000000D302}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013071Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:10:08.484{C9DE9129-A410-641C-8706-00000000D302}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028093Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"796","Execution_ThreadID":"2884","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"796","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:07.2219861Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:08Z"} 7300x8000000000000028092Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"796","Execution_ThreadID":"2884","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"796","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:07.2215343Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:08Z"} 7300x8000000000000028091Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"796","Execution_ThreadID":"3948","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"796","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:06.9946717Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:08Z"} 154100x800000000000000012405Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:10:07.788{B5208300-A40F-641C-4906-00000000D302}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013070Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:10:07.732{C9DE9129-A40F-641C-8606-00000000D302}796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027987Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"388","Execution_ThreadID":"3384","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:06.5047894Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:07Z"} 7300x8000000000000027986Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"388","Execution_ThreadID":"3384","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:06.4939787Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:07Z"} 7300x8000000000000027985Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"388","Execution_ThreadID":"2816","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"388","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:06.2038781Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:07Z"} 154100x800000000000000012442Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:10:06.634{CAB910BF-A40E-641C-4806-00000000D302}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141578Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012443Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:10:05.553{E6E25EEE-A40D-641C-4A06-00000000D302}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027955Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"3644","Execution_ThreadID":"1148","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3644","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:05.8888344Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:05Z"} 7300x8000000000000027954Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"3644","Execution_ThreadID":"1148","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3644","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:05.888338Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:05Z"} 4673001305600x8010000000000000140979Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000012442Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:10:04.677{E6E25EEE-A40C-641C-4906-00000000D302}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012404Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:10:04.748{B5208300-A40C-641C-4806-00000000D302}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012441Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:10:03.228{CAB910BF-A40B-641C-4706-00000000D302}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027953Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDA73A0000","EventID":"5","Execution_ProcessID":"604","Execution_ThreadID":"2344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFDA73A0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"604","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:10:03.5847157Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:10:03Z"} 154100x800000000000000012403Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:10:02.692{B5208300-A40A-641C-4706-00000000D302}604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141577Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000140978Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4634001254500x8020000000000000200095Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81bbee3 4624201254400x8020000000000000200094Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81bbee3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46250144%%1833---%%18430x0%%1842 4672001254800x8020000000000000200093Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81bbeeSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000200092Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81bb6f3 4624201254400x8020000000000000200091Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81bb6f3KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-fe80::25f1:ea03:8efd:c46250143%%1833---%%18430x0%%1842 4672001254800x8020000000000000200090Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81bb6fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000014537Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:09:40.133{54d3457e-a3f4-641c-9306-000000004602}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200088Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81ab973 4624201254400x8020000000000000200087Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x81ab973KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150141%%1833---%%18430x0%%1842 4672001254800x8020000000000000200086Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x81ab97SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012412Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:09:39.605{8FCC9F6C-A3F3-641C-4706-00000000D302}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014160Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:09:39.206{0F843AFE-A3F3-641C-4706-00000000D302}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012411Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:09:38.860{8FCC9F6C-A3F2-641C-4606-00000000D302}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012572Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:09:37.524{94bfb0cf-a3f1-641c-8d06-000000004702}1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014536Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:09:37.036{54d3457e-a3f1-641c-9206-000000004602}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012571Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:09:36.774{94bfb0cf-a3f0-641c-8c06-000000004702}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012570Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:09:36.018{94bfb0cf-a3f0-641c-8b06-000000004702}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014535Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:09:36.294{54d3457e-a3f0-641c-9106-000000004602}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012420Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:09:36.317{9792FEB4-A3F0-641C-4906-00000000D302}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013069Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:09:36.197{C9DE9129-A3F0-641C-8506-00000000D302}4684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000014534Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:09:35.157{54d3457e-a3ef-641c-9006-000000004602}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012419Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:09:35.565{9792FEB4-A3EF-641C-4806-00000000D302}192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013068Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:09:35.434{C9DE9129-A3EF-641C-8406-00000000D302}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012569Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:09:35.257{94bfb0cf-a3ef-641c-8a06-000000004702}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012568Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:09:34.504{94bfb0cf-a3ee-641c-8906-000000004702}4332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014533Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:09:34.148{54d3457e-a3ee-641c-8f06-000000004602}4804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012441Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:09:32.303{E6E25EEE-A3EC-641C-4806-00000000D302}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012440Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:09:31.735{CAB910BF-A3EB-641C-4606-00000000D302}884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012402Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:09:29.962{B5208300-A3E9-641C-4606-00000000D302}476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012558Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:09:25.711{8fd3d7d2-a3e5-641c-9006-000000004702}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012557Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:09:24.601{8fd3d7d2-a3e4-641c-8f06-000000004702}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012556Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:09:23.713{8fd3d7d2-a3e3-641c-8e06-000000004702}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012555Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:09:22.147{8fd3d7d2-a3e2-641c-8d06-000000004702}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012554Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:09:21.384{8fd3d7d2-a3e1-641c-8c06-000000004702}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014159Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:09:16.535{0F843AFE-A3DC-641C-4606-00000000D302}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027941Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"2044","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2044","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:14.1132724Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:16Z"} 7300x8000000000000027940Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"2044","Execution_ThreadID":"536","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2044","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:14.1123418Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:16Z"} 7300x8000000000000027939Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"2044","Execution_ThreadID":"1696","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2044","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:13.8567921Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:16Z"} 154100x800000000000000014158Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:09:15.768{0F843AFE-A3DB-641C-4506-00000000D302}2044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012410Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:09:14.581{8FCC9F6C-A3DA-641C-4506-00000000D302}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4634001254500x8020000000000000200081Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8166d13 154100x800000000000000014157Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:09:14.024{0F843AFE-A3DA-641C-4406-00000000D302}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 3704000x8000000000000000119792Systemar-win-6.attackrange.local169.254.169.123,0x9 (ntp.m|0x9|0.0.0.0:123->169.254.169.123:123) 7300x8000000000000027977Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"3848","Execution_ThreadID":"2452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3848","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.7686228Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 7300x8000000000000027976Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"3848","Execution_ThreadID":"2452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3848","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.7664991Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 7300x8000000000000027975Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB81160000","EventID":"5","Execution_ProcessID":"3848","Execution_ThreadID":"520","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB81160000","ImageCheckSum":"230240","ImageLoaded":"\\Windows\\System32\\sspicli.dll","ImageName":"\\Windows\\System32\\sspicli.dll","ImageSize":"0x2C000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\sspicli.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3848","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.3948649Z","TimeDateStamp":"1664518895","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 7300x8000000000000027967Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"852","Execution_ThreadID":"672","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.2865313Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 7300x8000000000000027966Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"852","Execution_ThreadID":"672","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.2795576Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 7300x8000000000000027965Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"852","Execution_ThreadID":"1988","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"852","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:11.0434519Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:13Z"} 154100x800000000000000012409Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:09:12.095{8FCC9F6C-A3D8-641C-4406-00000000D302}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012418Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:09:12.033{9792FEB4-A3D8-641C-4706-00000000D302}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014156Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:09:12.083{0F843AFE-A3D8-641C-4306-00000000D302}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012408Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:09:11.204{8FCC9F6C-A3D7-641C-4306-00000000D302}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013067Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:09:10.633{C9DE9129-A3D6-641C-8306-00000000D302}5052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012440Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:09:09.470{E6E25EEE-A3D5-641C-4706-00000000D302}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027972Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3360","Execution_ThreadID":"1092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3360","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:10.2566078Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:09Z"} 7300x8000000000000027971Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3360","Execution_ThreadID":"1092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3360","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:10.2561601Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:09Z"} 7300x8000000000000027970Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3360","Execution_ThreadID":"928","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3360","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:10.0534099Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:09Z"} 154100x800000000000000012439Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:09:09.282{CAB910BF-A3D5-641C-4506-00000000D302}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012439Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:09:08.721{E6E25EEE-A3D4-641C-4606-00000000D302}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012438Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:09:08.526{CAB910BF-A3D4-641C-4406-00000000D302}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012401Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:09:08.551{B5208300-A3D4-641C-4506-00000000D302}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012417Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:09:08.937{9792FEB4-A3D4-641C-4606-00000000D302}1032C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012416Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:09:08.162{9792FEB4-A3D4-641C-4506-00000000D302}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013066Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:09:08.409{C9DE9129-A3D4-641C-8206-00000000D302}5040C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028090Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"3344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:07.1974661Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:08Z"} 7300x8000000000000028089Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"3344","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:07.1969512Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:08Z"} 7300x8000000000000028088Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF840A80000","EventID":"5","Execution_ProcessID":"3800","Execution_ThreadID":"2564","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF840A80000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3800","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:06.9820291Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:08Z"} 154100x800000000000000012400Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:09:07.782{B5208300-A3D3-641C-4406-00000000D302}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013065Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:09:07.720{C9DE9129-A3D3-641C-8106-00000000D302}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027984Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"2572","Execution_ThreadID":"4088","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2572","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:06.4934528Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:07Z"} 7300x8000000000000027983Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"2572","Execution_ThreadID":"4088","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2572","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:06.4838971Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:07Z"} 154100x800000000000000012437Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:09:06.624{CAB910BF-A3D2-641C-4306-00000000D302}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027982Applicationar-win-8.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"2572","Execution_ThreadID":"2656","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2572","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:06.1925906Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:06Z"} 154100x800000000000000012438Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:09:05.549{E6E25EEE-A3D1-641C-4506-00000000D302}792C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000140967Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027952Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"2688","Execution_ThreadID":"2160","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2688","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:05.8477884Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:05Z"} 7300x8000000000000027951Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"2688","Execution_ThreadID":"2160","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2688","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:05.8472805Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:05Z"} 7300x8000000000000027950Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDAE7E0000","EventID":"5","Execution_ProcessID":"2688","Execution_ThreadID":"2428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDAE7E0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2688","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:09:05.6406623Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:09:05Z"} 154100x800000000000000012437Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:09:04.675{E6E25EEE-A3D0-641C-4406-00000000D302}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012399Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:09:04.747{B5208300-A3D0-641C-4306-00000000D302}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 4624201254400x8020000000000000200080Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8166d13KerberosKerberos-{49301dcc-8cff-a9e2-45e6-961fe71c4adf}--00x0-fe80::25f1:ea03:8efd:c46250140%%1840---%%18430x0%%1842 4672001254800x8020000000000000200079Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8166d1SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012436Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:09:03.227{CAB910BF-A3CF-641C-4206-00000000D302}84C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012398Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:09:02.673{B5208300-A3CE-641C-4206-00000000D302}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000140966Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 4673001305600x8010000000000000373259Securityar-win-3.attackrange.localATTACKRANGE\ELMER_SALASelmer_salasATTACKRANGE0x179355Security-SeTcbPrivilege0xaf0C:\Windows\explorer.exe 154100x800000000000000014532Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:08:40.133{54d3457e-a3b8-641c-8e06-000000004602}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 4634001254500x8020000000000000200077Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x8142293 4624201254400x8020000000000000200076Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x8142293KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150139%%1833---%%18430x0%%1842 4672001254800x8020000000000000200075Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x814229SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000012407Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:08:39.619{8FCC9F6C-A3B7-641C-4206-00000000D302}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014155Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:08:39.197{0F843AFE-A3B7-641C-4206-00000000D302}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012406Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:08:38.852{8FCC9F6C-A3B6-641C-4106-00000000D302}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012567Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:08:37.554{94bfb0cf-a3b5-641c-8806-000000004702}4336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014531Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:08:37.050{54d3457e-a3b5-641c-8d06-000000004602}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012566Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:08:36.794{94bfb0cf-a3b4-641c-8706-000000004702}784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012565Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:08:36.021{94bfb0cf-a3b4-641c-8606-000000004702}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014530Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:08:36.286{54d3457e-a3b4-641c-8c06-000000004602}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012415Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:08:36.313{9792FEB4-A3B4-641C-4406-00000000D302}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013064Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:08:36.168{C9DE9129-A3B4-641C-8006-00000000D302}4372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012564Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:08:35.302{94bfb0cf-a3b3-641c-8506-000000004702}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014529Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:08:35.164{54d3457e-a3b3-641c-8b06-000000004602}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012414Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:08:35.560{9792FEB4-A3B3-641C-4306-00000000D302}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013063Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:08:35.410{C9DE9129-A3B3-641C-7F06-00000000D302}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012563Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:08:34.552{94bfb0cf-a3b2-641c-8406-000000004702}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014528Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:08:34.124{54d3457e-a3b2-641c-8a06-000000004602}4832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012436Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:08:32.292{E6E25EEE-A3B0-641C-4306-00000000D302}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012435Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:08:31.739{CAB910BF-A3AF-641C-4106-00000000D302}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012397Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:08:29.968{B5208300-A3AD-641C-4106-00000000D302}268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012553Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:08:25.719{8fd3d7d2-a3a9-641c-8b06-000000004702}720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012552Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:08:24.610{8fd3d7d2-a3a8-641c-8a06-000000004702}1456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012551Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:08:23.712{8fd3d7d2-a3a7-641c-8906-000000004702}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012550Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:08:22.152{8fd3d7d2-a3a6-641c-8806-000000004702}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012549Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:08:21.401{8fd3d7d2-a3a5-641c-8706-000000004702}1832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000014154Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:08:16.523{0F843AFE-A3A0-641C-4106-00000000D302}2100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027938Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"3396","Execution_ThreadID":"3148","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:14.0940368Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:16Z"} 7300x8000000000000027937Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"3396","Execution_ThreadID":"3148","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:14.093476Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:16Z"} 7300x8000000000000027936Applicationar-win-7.attackrange.local{"Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"3396","Execution_ThreadID":"3664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3396","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:13.8667916Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:16Z"} 154100x800000000000000014153Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:08:15.774{0F843AFE-A39F-641C-4006-00000000D302}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012405Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:08:14.583{8FCC9F6C-A39E-641C-4006-00000000D302}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014152Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:08:13.998{0F843AFE-A39D-641C-3F06-00000000D302}772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027964Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"3584","Execution_ThreadID":"3808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.2100246Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:13Z"} 7300x8000000000000027963Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"3584","Execution_ThreadID":"3808","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.209538Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:13Z"} 7300x8000000000000027974Applicationar-win-4.attackrange.local{"Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB80AF0000","EventID":"5","Execution_ProcessID":"2140","Execution_ThreadID":"1820","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB80AF0000","ImageCheckSum":"229153","ImageLoaded":"\\Windows\\System32\\IPHLPAPI.DLL","ImageName":"\\Windows\\System32\\IPHLPAPI.DLL","ImageSize":"0x38000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\IPHLPAPI.DLL in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2140","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.362395Z","TimeDateStamp":"1528764093","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:12Z"} 7300x8000000000000027973Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"516","Execution_ThreadID":"3384","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"516","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.0124534Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:12Z"} 7300x8000000000000027972Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"516","Execution_ThreadID":"3384","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"516","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.0120016Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:12Z"} 154100x800000000000000012404Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:08:12.072{8FCC9F6C-A39C-641C-3F06-00000000D302}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012413Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:08:12.022{9792FEB4-A39C-641C-4206-00000000D302}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014151Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:08:12.091{0F843AFE-A39C-641C-3E06-00000000D302}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027962Applicationar-win-9.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"3584","Execution_ThreadID":"592","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3584","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:11.0337121Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:12Z"} 154100x800000000000000012403Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:08:11.186{8FCC9F6C-A39B-641C-3E06-00000000D302}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013062Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:08:10.612{C9DE9129-A39A-641C-7E06-00000000D302}3312C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012435Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:08:09.478{E6E25EEE-A399-641C-4206-00000000D302}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027969Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"3920","Execution_ThreadID":"3268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:10.2594905Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:09Z"} 7300x8000000000000027968Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"3920","Execution_ThreadID":"3268","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:10.2582801Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:09Z"} 7300x8000000000000027967Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"3920","Execution_ThreadID":"3828","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3920","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:10.0594805Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:09Z"} 154100x800000000000000012434Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:08:09.282{CAB910BF-A399-641C-4006-00000000D302}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012434Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:08:08.729{E6E25EEE-A398-641C-4106-00000000D302}3920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012396Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:08:08.535{B5208300-A398-641C-4006-00000000D302}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012433Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:08:08.528{CAB910BF-A398-641C-3F06-00000000D302}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012412Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:08:08.893{9792FEB4-A398-641C-4106-00000000D302}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012411Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:08:08.152{9792FEB4-A398-641C-4006-00000000D302}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013061Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:08:08.485{C9DE9129-A398-641C-7D06-00000000D302}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028087Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4956","Execution_ThreadID":"5112","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4956","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:07.2595598Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:08Z"} 7300x8000000000000028086Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4956","Execution_ThreadID":"5112","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4956","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:07.2589581Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:08Z"} 7300x8000000000000028085Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"4956","Execution_ThreadID":"4772","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4956","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:06.9856278Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:08Z"} 154100x800000000000000012395Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:08:07.778{B5208300-A397-641C-3F06-00000000D302}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013060Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:08:07.717{C9DE9129-A397-641C-7C06-00000000D302}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027981Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"3092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:06.4534431Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:07Z"} 7300x8000000000000027980Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"3092","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:06.4529139Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:07Z"} 154100x800000000000000012432Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:08:06.621{CAB910BF-A396-641C-3E06-00000000D302}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 7300x8000000000000027979Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95D5D0000","EventID":"5","Execution_ProcessID":"928","Execution_ThreadID":"880","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95D5D0000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"928","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:06.1884168Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:06Z"} 4673001305600x8010000000000000141555Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012433Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:08:05.544{E6E25EEE-A395-641C-4006-00000000D302}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000140954Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027949Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"2844","Execution_ThreadID":"3312","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:05.8170737Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:05Z"} 7300x8000000000000027948Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"2844","Execution_ThreadID":"3312","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:05.8164651Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:05Z"} 7300x8000000000000027947Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDB0EC0000","EventID":"5","Execution_ProcessID":"2844","Execution_ThreadID":"3712","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDB0EC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2844","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:08:05.6393668Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:08:05Z"} 154100x800000000000000012432Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:08:04.669{E6E25EEE-A394-641C-3F06-00000000D302}608C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012394Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:08:04.746{B5208300-A394-641C-3E06-00000000D302}2844C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012431Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:08:03.229{CAB910BF-A393-641C-3D06-00000000D302}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012393Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:08:02.665{B5208300-A392-641C-3D06-00000000D302}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141554Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000140953Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 154100x800000000000000014527Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:07:40.124{54d3457e-a37c-641c-8906-000000004602}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012402Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:07:39.621{8FCC9F6C-A37B-641C-3D06-00000000D302}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4634001254500x8020000000000000200069Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x80daf93 4624201254400x8020000000000000200068Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x80daf93KerberosKerberos-{fbaa476d-f60a-6068-d730-6f959ccb91bd}--00x0-::150138%%1833---%%18430x0%%1842 4672001254800x8020000000000000200067Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x80daf9SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 154100x800000000000000014150Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:07:39.196{0F843AFE-A37B-641C-3D06-00000000D302}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012401Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:07:38.853{8FCC9F6C-A37A-641C-3C06-00000000D302}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012562Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:07:37.568{94bfb0cf-a379-641c-8306-000000004702}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014526Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:07:37.162{54d3457e-a379-641c-8806-000000004602}4884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012561Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:07:36.817{94bfb0cf-a378-641c-8206-000000004702}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012560Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:07:36.062{94bfb0cf-a378-641c-8106-000000004702}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014525Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:07:36.273{54d3457e-a378-641c-8706-000000004602}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012410Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:07:36.304{9792FEB4-A378-641C-3F06-00000000D302}2708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013059Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:07:36.174{C9DE9129-A378-641C-7B06-00000000D302}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012559Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:07:35.331{94bfb0cf-a377-641c-8006-000000004702}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000012409Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:07:35.556{9792FEB4-A377-641C-3E06-00000000D302}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000014524Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:07:35.163{54d3457e-a377-641c-8606-000000004602}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013058Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:07:35.404{C9DE9129-A377-641C-7A06-00000000D302}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012558Microsoft-Windows-Sysmon/Operationalar-win-6.attackrange.local-2023-03-23 19:07:34.579{94bfb0cf-a376-641c-7f06-000000004702}548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{94bfb0cf-5fcd-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2992--- 154100x800000000000000014523Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-23 19:07:34.118{54d3457e-a376-641c-8506-000000004602}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{54d3457e-5fd5-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000012431Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:07:32.285{E6E25EEE-A374-641C-3E06-00000000D302}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012430Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:07:31.723{CAB910BF-A373-641C-3C06-00000000D302}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012392Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:07:29.959{B5208300-A371-641C-3C06-00000000D302}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012548Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:07:25.721{8fd3d7d2-a36d-641c-8606-000000004702}724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012547Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:07:24.613{8fd3d7d2-a36c-641c-8506-000000004702}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012546Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:07:23.707{8fd3d7d2-a36b-641c-8406-000000004702}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012545Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:07:22.162{8fd3d7d2-a36a-641c-8306-000000004702}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2948--- 154100x800000000000000012544Microsoft-Windows-Sysmon/Operationalar-win-10.attackrange.local-2023-03-23 19:07:21.412{8fd3d7d2-a369-641c-8206-000000004702}3936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8fd3d7d2-5fd7-641c-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2948--- 7300x8000000000000027935Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5DFD0000","EventID":"5","Execution_ProcessID":"484","Execution_ThreadID":"3724","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5DFD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"484","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:14.1753844Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:17Z"} 7300x8000000000000027934Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E0B0000","EventID":"5","Execution_ProcessID":"484","Execution_ThreadID":"3724","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E0B0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"484","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:14.1747958Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:17Z"} 154100x800000000000000014149Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:07:16.521{0F843AFE-A364-641C-3C06-00000000D302}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027933Applicationar-win-7.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-7","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF5E930000","EventID":"5","Execution_ProcessID":"484","Execution_ThreadID":"2392","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFF5E930000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"484","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:13.8689097Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:16Z"} 154100x800000000000000014148Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:07:15.772{0F843AFE-A363-641C-3B06-00000000D302}484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012400Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:07:14.564{8FCC9F6C-A362-641C-3B06-00000000D302}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000014147Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:07:14.003{0F843AFE-A362-641C-3A06-00000000D302}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1908--- 7300x8000000000000027971Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EA90000","EventID":"5","Execution_ProcessID":"860","Execution_ThreadID":"3440","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EA90000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"860","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.4923032Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:13Z"} 7300x8000000000000027970Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB6EAC0000","EventID":"5","Execution_ProcessID":"860","Execution_ThreadID":"3440","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB6EAC0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"860","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.491649Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:13Z"} 7300x8000000000000027969Applicationar-win-4.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-4","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFB76CA0000","EventID":"5","Execution_ProcessID":"860","Execution_ThreadID":"1748","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFB76CA0000","ImageCheckSum":"253833","ImageLoaded":"\\Windows\\System32\\adsldpc.dll","ImageName":"\\Windows\\System32\\adsldpc.dll","ImageSize":"0x42000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\adsldpc.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"860","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.2873837Z","TimeDateStamp":"1468635677","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:13Z"} 154100x800000000000000012408Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:07:12.012{9792FEB4-A360-641C-3D06-00000000D302}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1888--- 7300x8000000000000027961Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7460000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"3972","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7460000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.2893522Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:12Z"} 7300x8000000000000027960Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFE7490000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"3972","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFE7490000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.288873Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:12Z"} 7300x8000000000000027959Applicationar-win-9.attackrange.local{"Computer":"ar-win-9","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFFF2070000","EventID":"5","Execution_ProcessID":"1428","Execution_ThreadID":"3456","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFFF2070000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1428","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:11.0263684Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:12Z"} 154100x800000000000000014146Microsoft-Windows-Sysmon/Operationalar-win-7.attackrange.local-2023-03-23 19:07:12.078{0F843AFE-A360-641C-3906-00000000D302}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F843AFE-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1908--- 154100x800000000000000012399Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:07:11.997{8FCC9F6C-A35F-641C-3A06-00000000D302}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000012398Microsoft-Windows-Sysmon/Operationalar-win-4.attackrange.local-2023-03-23 19:07:11.180{8FCC9F6C-A35F-641C-3906-00000000D302}3792C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8FCC9F6C-5FD1-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013057Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:07:10.599{C9DE9129-A35E-641C-7906-00000000D302}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2020--- 154100x800000000000000012430Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:07:09.484{E6E25EEE-A35D-641C-3D06-00000000D302}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 7300x8000000000000027966Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD98070000","EventID":"5","Execution_ProcessID":"1896","Execution_ThreadID":"1568","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD98070000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1896","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:10.2307866Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:09Z"} 7300x8000000000000027965Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD91A90000","EventID":"5","Execution_ProcessID":"1896","Execution_ThreadID":"1568","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD91A90000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1896","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:10.2303102Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:09Z"} 7300x8000000000000027964Applicationar-win-5.attackrange.local{"Computer":"ar-win-5","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9C690000","EventID":"5","Execution_ProcessID":"1896","Execution_ThreadID":"2452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFD9C690000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1896","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:10.050564Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:09Z"} 154100x800000000000000012429Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:07:09.289{CAB910BF-A35D-641C-3B06-00000000D302}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012429Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:07:08.723{E6E25EEE-A35C-641C-3C06-00000000D302}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012391Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:07:08.527{B5208300-A35C-641C-3B06-00000000D302}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:07:08.527{CAB910BF-A35C-641C-3A06-00000000D302}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012407Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:07:08.889{9792FEB4-A35C-641C-3C06-00000000D302}200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000012406Microsoft-Windows-Sysmon/Operationalar-win-9.attackrange.local-2023-03-23 19:07:08.149{9792FEB4-A35C-641C-3B06-00000000D302}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{9792FEB4-5FCF-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1888--- 154100x800000000000000013056Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:07:08.451{C9DE9129-A35C-641C-7806-00000000D302}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000028084Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839DD0000","EventID":"5","Execution_ProcessID":"4444","Execution_ThreadID":"4068","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839DD0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4444","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:07.2453882Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:08Z"} 7300x8000000000000028083Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF839E00000","EventID":"5","Execution_ProcessID":"4444","Execution_ThreadID":"4068","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF839E00000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4444","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:07.2427836Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:08Z"} 7300x8000000000000028082Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF8425D0000","EventID":"5","Execution_ProcessID":"4444","Execution_ThreadID":"1216","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FF8425D0000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4444","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:06.9751111Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:08Z"} 154100x800000000000000012390Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:07:07.777{B5208300-A35B-641C-3A06-00000000D302}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000013055Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-23 19:07:07.701{C9DE9129-A35B-641C-7706-00000000D302}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{C9DE9129-5FCD-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2020--- 7300x8000000000000027978Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B690000","EventID":"5","Execution_ProcessID":"3604","Execution_ThreadID":"3544","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B690000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3604","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:06.3949214Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:07Z"} 7300x8000000000000027977Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF94B6C0000","EventID":"5","Execution_ProcessID":"3604","Execution_ThreadID":"3544","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF94B6C0000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3604","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:06.3942672Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:07Z"} 7300x8000000000000027976Applicationar-win-8.attackrange.local{"Computer":"ar-win-8","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FF95FC90000","EventID":"5","Execution_ProcessID":"3604","Execution_ThreadID":"2556","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FF95FC90000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3604","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:06.1781288Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:07Z"} 154100x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:07:06.612{CAB910BF-A35A-641C-3906-00000000D302}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1932--- 4673001305600x8010000000000000141543Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 154100x800000000000000012428Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:07:05.531{E6E25EEE-A359-641C-3B06-00000000D302}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1968--- 4673001305600x8010000000000000140942Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe 7300x8000000000000027946Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC30000","EventID":"5","Execution_ProcessID":"1460","Execution_ThreadID":"2944","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC30000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1460","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:05.8788386Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:05Z"} 7300x8000000000000027945Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD9EC60000","EventID":"5","Execution_ProcessID":"1460","Execution_ThreadID":"2944","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD9EC60000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1460","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:05.8773678Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:05Z"} 7300x8000000000000027944Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFDB0EC0000","EventID":"5","Execution_ProcessID":"1460","Execution_ThreadID":"2028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFDB0EC0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1460","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2370-ga0732b0d1/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-23T19:07:05.6424629Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-23T19:07:05Z"} 154100x800000000000000012389Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:07:04.749{B5208300-A358-641C-3906-00000000D302}1460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1964--- 154100x800000000000000012427Microsoft-Windows-Sysmon/Operationalar-win-5.attackrange.local-2023-03-23 19:07:04.672{E6E25EEE-A358-641C-3A06-00000000D302}32C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E6E25EEE-5FCE-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1968--- 154100x800000000000000012426Microsoft-Windows-Sysmon/Operationalar-win-8.attackrange.local-2023-03-23 19:07:03.231{CAB910BF-A357-641C-3806-00000000D302}536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CAB910BF-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1932--- 154100x800000000000000012388Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-23 19:07:02.664{B5208300-A356-641C-3806-00000000D302}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{B5208300-5FCB-641C-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1964--- 4673001305600x8010000000000000141542Securityar-win-10.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x820C:\Windows\System32\svchost.exe 4673001305600x8010000000000000140941Securityar-win-6.attackrange.localNT AUTHORITY\LOCAL SERVICELOCAL SERVICENT AUTHORITY0x3e5Security-SeProfileSingleProcessPrivilege0x4a4C:\Windows\System32\svchost.exe