4688201331200x8020000000000000362027Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa44C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011367Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:31:14.811{F02F376E-4082-6423-571B-00000000D602}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013498Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:43.409{f73635a5-4063-6423-701c-000000004902}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013497Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:42.644{f73635a5-4062-6423-6f1c-000000004902}1160C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013496Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:42.003{f73635a5-4062-6423-6e1c-000000004902}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013495Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:41.233{f73635a5-4061-6423-6d1c-000000004902}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013494Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:38.167{f73635a5-405e-6423-6c1c-000000004902}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013493Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:30:36.838{f73635a5-405c-6423-6b1c-000000004902}5240C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe NGCKeyPregenC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-ff5c-6421-2700-000000004902}1740C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 4688201331200x8020000000000000362026Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011366Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:30:21.014{F02F376E-404D-6423-561B-00000000D602}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362025Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa28C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011365Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:30:20.369{F02F376E-404C-6423-551B-00000000D602}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362024Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x4b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011364Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:30:19.619{F02F376E-404B-6423-541B-00000000D602}1200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362023Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfa0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011363Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:30:15.565{F02F376E-4047-6423-531B-00000000D602}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000026905Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"2612","Execution_ThreadID":"2028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:30:13.0343041Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:30:15Z"} 7300x8000000000000026904Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"2612","Execution_ThreadID":"2028","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:30:13.0335848Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:30:15Z"} 7300x8000000000000026903Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD054F0000","EventID":"5","Execution_ProcessID":"2612","Execution_ThreadID":"4056","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD054F0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2612","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:30:12.8511682Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:30:15Z"} 4688201331200x8020000000000000362022Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa34C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011362Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:30:14.805{F02F376E-4046-6423-521B-00000000D602}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013492Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:29:43.482{f73635a5-4027-6423-6a1c-000000004902}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013491Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:29:42.728{f73635a5-4026-6423-691c-000000004902}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013490Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:29:41.977{f73635a5-4025-6423-681c-000000004902}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013489Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:29:41.223{f73635a5-4025-6423-671c-000000004902}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013488Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:29:38.140{f73635a5-4022-6423-661c-000000004902}2136C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000011361Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:29:21.125{F02F376E-4011-6423-511B-00000000D602}1872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362021Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x750C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011360Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:29:20.369{F02F376E-4010-6423-501B-00000000D602}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362020Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x3a8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011359Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:29:19.607{F02F376E-400F-6423-4F1B-00000000D602}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362019Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x34cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011358Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:29:15.530{F02F376E-400B-6423-4E1B-00000000D602}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362018Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa88C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000026902Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3192","Execution_ThreadID":"996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3192","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:29:12.997117Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:29:15Z"} 7300x8000000000000026901Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3192","Execution_ThreadID":"996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3192","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:29:12.9966648Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:29:15Z"} 7300x8000000000000026900Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFD870000","EventID":"5","Execution_ProcessID":"3192","Execution_ThreadID":"3988","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFD870000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3192","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:29:12.832727Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:29:15Z"} 154100x800000000000000011357Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:29:14.786{F02F376E-400A-6423-4D1B-00000000D602}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362017Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xc78C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000013487Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:43.479{f73635a5-3feb-6423-651c-000000004902}7136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013486Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:42.726{f73635a5-3fea-6423-641c-000000004902}1944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013485Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:41.965{f73635a5-3fe9-6423-631c-000000004902}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013484Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:41.219{f73635a5-3fe9-6423-621c-000000004902}7124C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013483Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:38.127{f73635a5-3fe6-6423-611c-000000004902}6928C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 22542200x800000000000000013482Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:36.874{f73635a5-3ef4-6423-4a1c-000000004902}6884ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\dllhost.exeATTACKRANGE\Administrator 22542200x800000000000000013481Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:36.873{f73635a5-3ef4-6423-4a1c-000000004902}6884_ldap._tcp.ar-win-dc.attackrange.local.9003-C:\Windows\System32\dllhost.exeATTACKRANGE\Administrator 22542200x800000000000000013480Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:36.872{f73635a5-3ef4-6423-4a1c-000000004902}6884_ldap._tcp.Default-First-Site-Name._sites.ar-win-dc.attackrange.local.9003-C:\Windows\System32\dllhost.exeATTACKRANGE\Administrator 5136001408100x8020000000000000170163Securityar-win-dc.attackrange.local{261a0e62-d22a-4832-a302-14e6e9877864}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=ATTACKRANGE,DC=LOCAL{2372d0aa-b81e-4b91-9357-e73b9ba51a4f}groupPolicyContainergPCMachineExtensionNames2.5.5.12[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]%%14674 5136001408100x8020000000000000170162Securityar-win-dc.attackrange.local{261a0e62-d22a-4832-a302-14e6e9877864}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=ATTACKRANGE,DC=LOCAL{2372d0aa-b81e-4b91-9357-e73b9ba51a4f}groupPolicyContainergPCMachineExtensionNames2.5.5.12[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]%%14675 5136001408100x8020000000000000170161Securityar-win-dc.attackrange.local{261a0e62-d22a-4832-a302-14e6e9877864}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=ATTACKRANGE,DC=LOCAL{2372d0aa-b81e-4b91-9357-e73b9ba51a4f}groupPolicyContainerversionNumber2.5.5.94%%14674 5136001408100x8020000000000000170160Securityar-win-dc.attackrange.local{261a0e62-d22a-4832-a302-14e6e9877864}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=ATTACKRANGE,DC=LOCAL{2372d0aa-b81e-4b91-9357-e73b9ba51a4f}groupPolicyContainerversionNumber2.5.5.93%%14675 154100x800000000000000011356Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:28:20.851{F02F376E-3FD4-6423-4C1B-00000000D602}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362016Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000362015Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xec8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011355Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:28:20.247{F02F376E-3FD4-6423-4B1B-00000000D602}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362014Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011354Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:28:19.591{F02F376E-3FD3-6423-4A1B-00000000D602}2588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 03/28/2023 19:28:19.967 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={31B2F340-016D-11D2-945F-00C04FB984F9} displayName=Default Domain Policy distinguishedName=CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=attackrange,DC=local cn={31B2F340-016D-11D2-945F-00C04FB984F9} Object Details: objectGUID=2372d0aa-b81e-4b91-9357-e73b9ba51a4f whenChanged=07:28.19 PM, Tue 03/28/2023 whenCreated=02:18.06 AM, Sun 03/26/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90444 uSNCreated=5672 instanceType=4 Additional Details: dSCorePropagationData=20230327205811.0Z|20230326024245.0Z|20230326024244.0Z|20230326024244.0Z|16010101000000.0Z gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}] gPCFileSysPath=\\attackrange.local\sysvol\attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} gPCFunctionalityVersion=2 isCriticalSystemObject=TRUE systemFlags=-1946157056 versionNumber=4 flags=0 showInAdvancedViewOnly=TRUE 03/28/2023 19:28:19.965 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={31B2F340-016D-11D2-945F-00C04FB984F9} displayName=Default Domain Policy distinguishedName=CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=attackrange,DC=local cn={31B2F340-016D-11D2-945F-00C04FB984F9} Object Details: objectGUID=2372d0aa-b81e-4b91-9357-e73b9ba51a4f whenChanged=07:28.19 PM, Tue 03/28/2023 whenCreated=02:18.06 AM, Sun 03/26/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90444 uSNCreated=5672 instanceType=4 Additional Details: dSCorePropagationData=20230327205811.0Z|20230326024245.0Z|20230326024244.0Z|20230326024244.0Z|16010101000000.0Z gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}] gPCFileSysPath=\\attackrange.local\sysvol\attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} gPCFunctionalityVersion=2 isCriticalSystemObject=TRUE systemFlags=-1946157056 versionNumber=4 flags=0 showInAdvancedViewOnly=TRUE 7300x8000000000000026899Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3924","Execution_ThreadID":"3128","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3924","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:28:13.0095084Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:28:16Z"} 7300x8000000000000026898Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3924","Execution_ThreadID":"3128","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3924","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:28:13.008944Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:28:16Z"} 154100x800000000000000011353Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:28:15.536{F02F376E-3FCF-6423-491B-00000000D602}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362013Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x26cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000362012Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf54C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011352Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:28:14.765{F02F376E-3FCE-6423-481B-00000000D602}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000026897Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD02900000","EventID":"5","Execution_ProcessID":"3924","Execution_ThreadID":"2364","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD02900000","ImageCheckSum":"81641","ImageLoaded":"\\Windows\\System32\\secur32.dll","ImageName":"\\Windows\\System32\\secur32.dll","ImageSize":"0xC000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\secur32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3924","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:28:12.8187476Z","TimeDateStamp":"1524894600","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:28:14Z"} 354300x800000000000000013479Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:28:02.516{f73635a5-3fb3-6423-601c-000000004902}2524C:\Windows\System32\mmc.exeATTACKRANGE\Administratortcptruefalse10.0.1.14ar-win-dc.attackrange.local59081-false10.0.1.14ar-win-dc.attackrange.local389ldap 22542200x800000000000000013478Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:48.225{f73635a5-3fb3-6423-601c-000000004902}2524AR-WIN-DC.ATTACKRANGE.LOCAL0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\mmc.exeATTACKRANGE\Administrator 154100x800000000000000013477Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:47.897{f73635a5-3fb3-6423-601c-000000004902}2524C:\Windows\System32\mmc.exe10.0.17763.1697 (WinBuild.160101.0800)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://ar-win-dc.attackrange.local/cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=attackrange,DC=local"C:\Users\Administrator\ATTACKRANGE\Administrator{f73635a5-0035-6422-1a56-080000000000}0x8561a2HighMD5=7A769B71B7FAE44E4F57B6BE4206DD97,SHA256=03048F7A610EE24CA36007019C6D5D200A9E94172D7F7A46CF71D7E792163E8D,IMPHASH=B8EE2D6252332A68B70B22E3D6E377D2{f73635a5-3ef4-6423-491c-000000004902}2324C:\Windows\System32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\gpmc.mscATTACKRANGE\Administrator 154100x800000000000000013476Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:43.400{f73635a5-3faf-6423-5f1c-000000004902}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013475Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:42.639{f73635a5-3fae-6423-5e1c-000000004902}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013474Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:41.980{f73635a5-3fad-6423-5d1c-000000004902}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013473Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:41.219{f73635a5-3fad-6423-5c1c-000000004902}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013472Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:27:38.126{f73635a5-3faa-6423-5b1c-000000004902}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000011351Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:27:21.118{F02F376E-3F99-6423-471B-00000000D602}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362011Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xaa4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000362010Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x73cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011350Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:27:20.354{F02F376E-3F98-6423-461B-00000000D602}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362009Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xce8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011349Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:27:19.584{F02F376E-3F97-6423-451B-00000000D602}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000011348Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:27:15.508{F02F376E-3F93-6423-441B-00000000D602}3972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000026896Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"368","Execution_ThreadID":"896","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:27:13.049199Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:27:15Z"} 7300x8000000000000026895Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"368","Execution_ThreadID":"896","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:27:13.0481385Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:27:15Z"} 4688201331200x8020000000000000362008Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf84C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000026894Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"368","Execution_ThreadID":"324","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"368","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:27:12.8075222Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:27:15Z"} 154100x800000000000000011347Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:27:14.758{F02F376E-3F92-6423-431B-00000000D602}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362007Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x170C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000013471Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:26:43.362{f73635a5-3f73-6423-5a1c-000000004902}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013470Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:26:42.597{f73635a5-3f72-6423-591c-000000004902}6696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013469Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:26:41.970{f73635a5-3f71-6423-581c-000000004902}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013468Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:26:41.208{f73635a5-3f71-6423-571c-000000004902}5128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013467Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:26:38.123{f73635a5-3f6e-6423-561c-000000004902}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000011346Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:26:21.099{F02F376E-3F5D-6423-421B-00000000D602}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362006Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xc78C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011345Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:26:20.338{F02F376E-3F5C-6423-411B-00000000D602}3896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362005Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf38C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011344Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:26:19.574{F02F376E-3F5B-6423-401B-00000000D602}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362004Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa14C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000362003Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xda0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011343Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:26:15.520{F02F376E-3F57-6423-3F1B-00000000D602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000026893Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"2648","Execution_ThreadID":"2460","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2648","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:26:13.0174804Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:26:15Z"} 7300x8000000000000026892Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"2648","Execution_ThreadID":"2460","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2648","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:26:13.0169438Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:26:15Z"} 7300x8000000000000026891Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFD054F0000","EventID":"5","Execution_ProcessID":"2648","Execution_ThreadID":"2452","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-netmon.exe","ImageBase":"0x7FFD054F0000","ImageCheckSum":"661894","ImageLoaded":"\\Windows\\System32\\dnsapi.dll","ImageName":"\\Windows\\System32\\dnsapi.dll","ImageSize":"0xA2000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dnsapi.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2648","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:26:12.8078843Z","TimeDateStamp":"1617867024","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:26:15Z"} 4688201331200x8020000000000000362002Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa58C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011342Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:26:14.758{F02F376E-3F56-6423-3E1B-00000000D602}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x800000000000000013466Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:25:43.459{f73635a5-3f37-6423-551c-000000004902}688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013465Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:25:42.701{f73635a5-3f36-6423-541c-000000004902}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013464Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:25:41.948{f73635a5-3f35-6423-531c-000000004902}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013463Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:25:41.201{f73635a5-3f35-6423-521c-000000004902}6448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000013462Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-28 19:25:38.115{f73635a5-3f32-6423-511c-000000004902}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x800000000000000011341Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:25:21.083{F02F376E-3F21-6423-3D1B-00000000D602}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000362001Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf68C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000362000Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa00C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011340Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:25:20.323{F02F376E-3F20-6423-3C1B-00000000D602}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000361999Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe20C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011339Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:25:19.567{F02F376E-3F1F-6423-3B1B-00000000D602}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000361998Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x550C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011338Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:25:15.509{F02F376E-3F1B-6423-3A1B-00000000D602}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000026890Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3156","Execution_ThreadID":"2812","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3156","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:25:12.9862832Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:25:15Z"} 7300x8000000000000026889Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3156","Execution_ThreadID":"2812","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3156","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:25:12.9858089Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:25:15Z"} 7300x8000000000000026888Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFD870000","EventID":"5","Execution_ProcessID":"3156","Execution_ThreadID":"944","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFCFD870000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3156","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-28T19:25:12.8024388Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-28T19:25:15Z"} 4688201331200x8020000000000000361997Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xc54C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x800000000000000011337Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-28 19:25:14.752{F02F376E-3F1A-6423-391B-00000000D602}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952---