4688201331200x8020000000000000355218Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xefcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004505Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:05:05.584{F02F376E-0501-6422-F100-00000000D602}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000006539Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:04:34.573{f73635a5-04e2-6422-6e01-000000004902}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006538Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:04:33.681{f73635a5-04e1-6422-6d01-000000004902}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006537Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:04:32.814{f73635a5-04e0-6422-6c01-000000004902}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006536Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:04:30.501{f73635a5-04de-6422-6b01-000000004902}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006535Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:04:27.793{f73635a5-04db-6422-6a01-000000004902}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 4688201331200x8020000000000000355217Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x4c0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004504Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:04:10.927{F02F376E-04CA-6422-F000-00000000D602}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022859Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"712","Execution_ThreadID":"1032","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"712","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:04:09.5817779Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:04:10Z"} 7300x8000000000000022858Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"712","Execution_ThreadID":"1032","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"712","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:04:09.5790856Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:04:10Z"} 7300x8000000000000022857Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"712","Execution_ThreadID":"1148","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"712","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:04:09.366982Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:04:10Z"} 154100x80000000000000004503Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:04:10.175{F02F376E-04CA-6422-EF00-00000000D602}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355216Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2c8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004502Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:04:09.360{F02F376E-04C9-6422-EE00-00000000D602}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355215Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004501Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:04:06.755{F02F376E-04C6-6422-ED00-00000000D602}3272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355214Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xcc8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004500Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:04:05.582{F02F376E-04C5-6422-EC00-00000000D602}1652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355213Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x674C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000006534Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:03:34.569{f73635a5-04a6-6422-6901-000000004902}1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006533Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:03:33.673{f73635a5-04a5-6422-6801-000000004902}5240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006532Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:03:32.802{f73635a5-04a4-6422-6701-000000004902}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006531Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:03:30.498{f73635a5-04a2-6422-6601-000000004902}4168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006530Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:03:27.796{f73635a5-049f-6422-6501-000000004902}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 4688201331200x8020000000000000355212Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x8d8C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004499Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:03:10.924{F02F376E-048E-6422-EB00-00000000D602}2264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022856Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"1500","Execution_ThreadID":"1320","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1500","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:03:08.714378Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:03:10Z"} 7300x8000000000000022855Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"1500","Execution_ThreadID":"1320","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1500","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:03:08.7138549Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:03:10Z"} 7300x8000000000000022854Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"1500","Execution_ThreadID":"1428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1500","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:03:08.5433772Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:03:10Z"} 154100x80000000000000004498Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:03:10.161{F02F376E-048E-6422-EA00-00000000D602}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355211Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004497Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:03:09.349{F02F376E-048D-6422-E900-00000000D602}1500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355210Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x5dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355209Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x14cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004496Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:03:06.755{F02F376E-048A-6422-E800-00000000D602}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355208Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2a0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004495Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:03:05.582{F02F376E-0489-6422-E700-00000000D602}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000006529Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:02:34.566{f73635a5-046a-6422-6401-000000004902}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006528Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:02:33.676{f73635a5-0469-6422-6301-000000004902}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006527Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:02:32.790{f73635a5-0468-6422-6201-000000004902}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006526Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:02:30.476{f73635a5-0466-6422-6101-000000004902}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006525Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:02:27.779{f73635a5-0463-6422-6001-000000004902}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000004494Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:02:10.889{F02F376E-0452-6422-E600-00000000D602}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355207Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf00C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000022853Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3760","Execution_ThreadID":"2440","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3760","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:02:09.5241295Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:02:10Z"} 7300x8000000000000022852Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3760","Execution_ThreadID":"2440","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3760","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:02:09.5236814Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:02:10Z"} 7300x8000000000000022851Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"3760","Execution_ThreadID":"3432","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3760","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:02:09.3499671Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:02:10Z"} 4688201331200x8020000000000000355206Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xeb0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004493Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:02:10.153{F02F376E-0452-6422-E500-00000000D602}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355205Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe98C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004492Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:02:09.336{F02F376E-0451-6422-E400-00000000D602}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355204Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x550C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004491Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:02:06.753{F02F376E-044E-6422-E300-00000000D602}1360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000004490Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:02:05.563{F02F376E-044D-6422-E200-00000000D602}3524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355203Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xdc4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 703604000x8080000000000000120388Systemar-win-dc.attackrange.localWindows Modules Installerstopped540072007500730074006500640049006E007300740061006C006C00650072002F0031000000 154100x80000000000000006524Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:01:34.557{f73635a5-042e-6422-5f01-000000004902}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006523Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:01:33.672{f73635a5-042d-6422-5e01-000000004902}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006522Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:01:32.788{f73635a5-042c-6422-5d01-000000004902}2692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006521Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:01:30.463{f73635a5-042a-6422-5c01-000000004902}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006520Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:01:27.766{f73635a5-0427-6422-5b01-000000004902}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 4688201331200x8020000000000000355202Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x470C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004489Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:01:11.001{F02F376E-0417-6422-E100-00000000D602}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022850Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"4024","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4024","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:01:09.5422029Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:01:11Z"} 7300x8000000000000022849Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"4024","Execution_ThreadID":"2660","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4024","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:01:09.5417581Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:01:11Z"} 4688201331200x8020000000000000355201Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfb8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004488Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:01:10.149{F02F376E-0416-6422-E000-00000000D602}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022848Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"4048","Execution_ThreadID":"3868","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"4048","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:01:08.5188699Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:01:10Z"} 4688201331200x8020000000000000355200Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfd0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004487Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:01:09.320{F02F376E-0415-6422-DF00-00000000D602}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000004486Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:01:06.891{F02F376E-0412-6422-DE00-00000000D602}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355199Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xffcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355198Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004485Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:01:05.562{F02F376E-0411-6422-DD00-00000000D602}2116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000006519Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:00:34.486{f73635a5-03f2-6422-5a01-000000004902}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006518Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:00:33.683{f73635a5-03f1-6422-5901-000000004902}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006517Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:00:32.781{f73635a5-03f0-6422-5801-000000004902}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006516Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:00:30.463{f73635a5-03ee-6422-5701-000000004902}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006515Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 21:00:27.763{f73635a5-03eb-6422-5601-000000004902}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 4688201331200x8020000000000000355197Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x210C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004484Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:00:11.010{F02F376E-03DB-6422-DC00-00000000D602}528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022847Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3684","Execution_ThreadID":"3740","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3684","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:00:08.7790005Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:00:10Z"} 7300x8000000000000022846Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3684","Execution_ThreadID":"3740","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3684","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:00:08.7784234Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:00:10Z"} 7300x8000000000000022845Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"3684","Execution_ThreadID":"3432","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3684","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T21:00:08.5056249Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T21:00:10Z"} 154100x80000000000000004483Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:00:10.143{F02F376E-03DA-6422-DB00-00000000D602}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355196Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x990C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004482Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:00:09.303{F02F376E-03D9-6422-DA00-00000000D602}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355195Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe64C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355194Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xb6cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004481Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:00:06.982{F02F376E-03D6-6422-D900-00000000D602}2924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000004480Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 21:00:05.545{F02F376E-03D5-6422-D800-00000000D602}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355193Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x710C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 703604000x8080000000000000120387Systemar-win-dc.attackrange.localClient License Service (ClipSVC)stopped43006C00690070005300560043002F0031000000 703604000x8080000000000000120386Systemar-win-dc.attackrange.localAppX Deployment Service (AppXSVC)stopped41007000700058005300760063002F0031000000 703604000x8080000000000000120385Systemar-win-dc.attackrange.localWindows Modules Installerrunning540072007500730074006500640049006E007300740061006C006C00650072002F0034000000 154100x80000000000000006514Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:39.526{f73635a5-03bb-6422-5501-000000004902}1188C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.4121_none_5703f42b990865ed\TiWorker.exe10.0.17763.4121 (WinBuild.160101.0800)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.17763.4121_none_5703f42b990865ed\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=BDACB18E4B4096FA5B04BB14247B621B,SHA256=27560826969F4DDE5AE5C509DA9069DC6E5408D08E312A6408CB69ED983951E2,IMPHASH=DFA5AA6C71EAA48650B69852FC48ECDC{00000000-0000-0000-0000-000000000000}856--- 154100x80000000000000006513Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:39.474{f73635a5-03bb-6422-5401-000000004902}4984C:\Windows\servicing\TrustedInstaller.exe10.0.17763.1098 (WinBuild.160101.0800)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=83F09DC8EA0615A80E5204E07001C7FF,SHA256=E9EA26B1F8413C724A0E4CA0533171A60F4E2A1180A48DC1F117BF155BEE831A,IMPHASH=5A5A505BA4F93DA92EB564DA19258843{f73635a5-ff58-6421-0b00-000000004902}604C:\Windows\System32\services.exeC:\Windows\system32\services.exeNT AUTHORITY\SYSTEM 154100x80000000000000006512Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:39.392{f73635a5-03bb-6422-5301-000000004902}344C:\Windows\System32\taskhostw.exe10.0.17763.1852 (WinBuild.160101.0800)Host Process for Windows TasksMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskhostw.exetaskhostw.exe Install $(Arg0)C:\Windows\system32\ATTACKRANGE\Administrator{f73635a5-0035-6422-1a56-080000000000}0x8561a2HighMD5=8BD7B08DA6BCA54DF9B595E4D9281BEB,SHA256=DE85F29A8BC7219F10A4AC88654C3901ABC329D7505B21CD95CBF780D1EBCCF4,IMPHASH=9839C7FD9649496B162F72128209528A{f73635a5-ff5c-6421-2700-000000004902}1740C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ScheduleNT AUTHORITY\SYSTEM 154100x80000000000000006511Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:34.501{f73635a5-03b6-6422-5201-000000004902}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006510Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:33.684{f73635a5-03b5-6422-5101-000000004902}4408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006509Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:32.781{f73635a5-03b4-6422-5001-000000004902}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006508Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:30.459{f73635a5-03b2-6422-4f01-000000004902}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006507Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:59:27.759{f73635a5-03af-6422-4e01-000000004902}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 5136001408100x8020000000000000170149Securityar-win-dc.attackrange.local{bbe9d5c7-753f-4f87-b595-f24a1d09c8c5}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},cn=policies,cn=system,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerdisplayName2.5.5.12Malicious GPO%%14674 5136001408100x8020000000000000170148Securityar-win-dc.attackrange.local{bbe9d5c7-753f-4f87-b595-f24a1d09c8c5}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},cn=policies,cn=system,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerdisplayName2.5.5.12New Group Policy Object%%14675 5136001408100x8020000000000000170147Securityar-win-dc.attackrange.local{8c2d9d2f-680f-476b-ad0f-b40b82ba6380}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerflags2.5.5.90%%14674 5136001408100x8020000000000000170146Securityar-win-dc.attackrange.local{8c2d9d2f-680f-476b-ad0f-b40b82ba6380}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainergPCFunctionalityVersion2.5.5.92%%14674 5136001408100x8020000000000000170145Securityar-win-dc.attackrange.local{8c2d9d2f-680f-476b-ad0f-b40b82ba6380}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerversionNumber2.5.5.90%%14674 5136001408100x8020000000000000170144Securityar-win-dc.attackrange.local{8c2d9d2f-680f-476b-ad0f-b40b82ba6380}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainergPCFileSysPath2.5.5.12\\attackrange.local\SysVol\attackrange.local\Policies\{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4}%%14674 5136001408100x8020000000000000170143Securityar-win-dc.attackrange.local{1ce07bfd-a7ad-4678-a12d-12515dbb215d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerdisplayName2.5.5.12New Group Policy Object%%14674 5136001408100x8020000000000000170142Securityar-win-dc.attackrange.local{681cac8c-b5a4-48fd-be93-4339996bd94d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainerobjectClass2.5.5.21.2.840.113556.1.5.157%%14674 5136001408100x8020000000000000170141Securityar-win-dc.attackrange.local{681cac8c-b5a4-48fd-be93-4339996bd94d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainercn2.5.5.12{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4}%%14674 5137001408100x8020000000000000170140Securityar-win-dc.attackrange.local{681cac8c-b5a4-48fd-be93-4339996bd94d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local{3e7ae4de-29a6-41c1-b27c-bf9548b0444c}groupPolicyContainer 03/27/2023 20:59:15.428 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=Malicious GPO distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90165 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z gPCFileSysPath=\\attackrange.local\SysVol\attackrange.local\Policies\{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} gPCFunctionalityVersion=2 versionNumber=0 flags=0 showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.417 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=New Group Policy Object distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90164 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z gPCFileSysPath=\\attackrange.local\SysVol\attackrange.local\Policies\{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} gPCFunctionalityVersion=2 versionNumber=0 flags=0 showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.409 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=New Group Policy Object distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90163 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.375 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=User distinguishedName=CN=User,CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn=User Object Details: objectGUID=a8cc845b-4b33-4bf5-a2b8-4fa26f4b175e whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container Event Details: uSNChanged=90162 uSNCreated=90162 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.375 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=Machine distinguishedName=CN=Machine,CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn=Machine Object Details: objectGUID=b145eeaf-4da2-4324-b835-83a7b8be873d whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container Event Details: uSNChanged=90161 uSNCreated=90161 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.359 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90160 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.486 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=Malicious GPO distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90165 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z gPCFileSysPath=\\attackrange.local\SysVol\attackrange.local\Policies\{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} gPCFunctionalityVersion=2 versionNumber=0 flags=0 showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.486 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=New Group Policy Object distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90164 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z gPCFileSysPath=\\attackrange.local\SysVol\attackrange.local\Policies\{2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} gPCFunctionalityVersion=2 versionNumber=0 flags=0 showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.482 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} displayName=New Group Policy Object distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90163 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.460 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=User distinguishedName=CN=User,CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn=User Object Details: objectGUID=a8cc845b-4b33-4bf5-a2b8-4fa26f4b175e whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container Event Details: uSNChanged=90162 uSNCreated=90162 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.450 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=Machine distinguishedName=CN=Machine,CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn=Machine Object Details: objectGUID=b145eeaf-4da2-4324-b835-83a7b8be873d whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container Event Details: uSNChanged=90161 uSNCreated=90161 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 03/27/2023 20:59:15.433 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} distinguishedName=CN={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4},CN=Policies,CN=System,DC=attackrange,DC=local cn={2C4C7CD3-7AA5-4E84-89B5-CE9FC75611D4} Object Details: objectGUID=3e7ae4de-29a6-41c1-b27c-bf9548b0444c whenChanged=08:59.15 PM, Mon 03/27/2023 whenCreated=08:59.15 PM, Mon 03/27/2023 objectClass=top|container|groupPolicyContainer Event Details: uSNChanged=90160 uSNCreated=90160 instanceType=4 Additional Details: dSCorePropagationData=16010101000000.0Z showInAdvancedViewOnly=TRUE 154100x80000000000000004479Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:59:11.007{F02F376E-039F-6422-D700-00000000D602}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355192Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xcecC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000022844Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"656","Execution_ThreadID":"3996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"656","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:59:08.7286069Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:59:10Z"} 7300x8000000000000022843Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"656","Execution_ThreadID":"3996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"656","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:59:08.7264405Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:59:10Z"} 7300x8000000000000022842Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFD980000","EventID":"5","Execution_ProcessID":"656","Execution_ThreadID":"3996","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFD980000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"656","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:59:08.5505586Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:59:10Z"} 154100x80000000000000004478Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:59:10.129{F02F376E-039E-6422-D600-00000000D602}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355191Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd44C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004477Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:59:09.308{F02F376E-039D-6422-D500-00000000D602}656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355190Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x290C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355189Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfd0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004476Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:59:06.965{F02F376E-039A-6422-D400-00000000D602}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355188Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004475Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:59:05.528{F02F376E-0399-6422-D300-00000000D602}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 22542200x80000000000000006506Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:38.404{f73635a5-0372-6422-4701-000000004902}728ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\mmc.exeATTACKRANGE\Administrator 22542200x80000000000000006505Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:38.401{f73635a5-0372-6422-4701-000000004902}728AR-WIN-DC0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\mmc.exeATTACKRANGE\Administrator 154100x80000000000000006504Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:34.506{f73635a5-037a-6422-4d01-000000004902}4420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006503Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:33.614{f73635a5-0379-6422-4c01-000000004902}5876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006502Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:32.771{f73635a5-0378-6422-4b01-000000004902}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006501Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:30.477{f73635a5-0376-6422-4901-000000004902}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006500Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:27.779{f73635a5-0373-6422-4801-000000004902}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006499Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:58:26.432{f73635a5-0372-6422-4701-000000004902}728C:\Windows\System32\mmc.exe10.0.17763.1697 (WinBuild.160101.0800)Microsoft Management ConsoleMicrosoft® Windows® Operating SystemMicrosoft Corporationmmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /sC:\Windows\system32\ATTACKRANGE\Administrator{f73635a5-0035-6422-1a56-080000000000}0x8561a2HighMD5=7A769B71B7FAE44E4F57B6BE4206DD97,SHA256=03048F7A610EE24CA36007019C6D5D200A9E94172D7F7A46CF71D7E792163E8D,IMPHASH=B8EE2D6252332A68B70B22E3D6E377D2{f73635a5-0037-6422-d400-000000004902}5172C:\Windows\explorer.exe"C:\Windows\Explorer.EXE" /NOUACCHECKATTACKRANGE\Administrator 3704000x8000000000000000120384Systemar-win-dc.attackrange.local169.254.169.123,0x9 (ntp.m|0x9|0.0.0.0:123->169.254.169.123:123) 5136001408100x8020000000000000170139Securityar-win-dc.attackrange.local{48dc9105-b25f-4b4a-bb49-6ba27c916c2d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN=Policies,CN=System,DC=attackrange,DC=local{f8b82539-2b7b-4ffe-96c1-e0713733b0f4}containernTSecurityDescriptor2.5.5.15O:DAG:DAD:AI(OA;CIIO;WP;bf967a76-0de6-11d0-a285-00aa003049e2;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OA;;CC;f30e3bc2-9ff0-11d1-b603-0000f80367c1;;WD)(OA;CIIO;SDWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(A;;CC;;;PA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;WP;;;WD)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-537851375-1300420925-1735565775-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-537851375-1300420925-1735565775-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-2312)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3343)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4122)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3640)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3436)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3724)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3995)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4130)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3374)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3403)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4013)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4107)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3865)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-2677)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3722)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3724)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4059)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;CY)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-519)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-4107)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-3470)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;SA;CCDCDTSDWDWO;f30e3bc2-9ff0-11d1-b603-0000f80367c1;;WD)(OU;CISA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)%%14674 5136001408100x8020000000000000170138Securityar-win-dc.attackrange.local{48dc9105-b25f-4b4a-bb49-6ba27c916c2d}-ATTACKRANGE\AdministratorAdministratorATTACKRANGE0x8561aattackrange.local%%14676CN=Policies,CN=System,DC=attackrange,DC=local{f8b82539-2b7b-4ffe-96c1-e0713733b0f4}containernTSecurityDescriptor2.5.5.15O:DAG:DAD:AI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CC;;;PA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-537851375-1300420925-1735565775-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-537851375-1300420925-1735565775-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-2312)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3343)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4122)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3640)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3436)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3724)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3995)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4130)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3374)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3403)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4013)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4107)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3865)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-2677)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3722)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-3724)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-537851375-1300420925-1735565775-4059)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;bf967aba-0de6-11d0-a285-00aa003049e2;CY)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-519)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-4107)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-537851375-1300420925-1735565775-3470)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)S:AI(OU;SA;CCDCDTSDWDWO;f30e3bc2-9ff0-11d1-b603-0000f80367c1;;WD)(OU;CISA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)%%14675 03/27/2023 20:58:11.268 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=Policies distinguishedName=CN=Policies,CN=System,DC=attackrange,DC=local cn=Policies Object Details: objectGUID=f8b82539-2b7b-4ffe-96c1-e0713733b0f4 whenChanged=08:58.11 PM, Mon 03/27/2023 whenCreated=02:18.06 AM, Sun 03/26/2023 objectClass=top|container Event Details: uSNChanged=90158 uSNCreated=5671 instanceType=4 Additional Details: dSCorePropagationData=20230326024245.0Z|20230326024244.0Z|20230326024244.0Z|20230326024241.0Z|16010714223649.0Z isCriticalSystemObject=TRUE systemFlags=-1946157056 showInAdvancedViewOnly=TRUE 03/27/2023 20:58:11.324 dcName=ar-win-dc.attackrange.local admonEventType=Update Names: objectCategory=CN=Container,CN=Schema,CN=Configuration,DC=attackrange,DC=local name=Policies distinguishedName=CN=Policies,CN=System,DC=attackrange,DC=local cn=Policies Object Details: objectGUID=f8b82539-2b7b-4ffe-96c1-e0713733b0f4 whenChanged=08:58.11 PM, Mon 03/27/2023 whenCreated=02:18.06 AM, Sun 03/26/2023 objectClass=top|container Event Details: uSNChanged=90158 uSNCreated=5671 instanceType=4 Additional Details: dSCorePropagationData=20230327205811.0Z|20230326024245.0Z|20230326024244.0Z|20230326024244.0Z|16010714223648.0Z isCriticalSystemObject=TRUE systemFlags=-1946157056 showInAdvancedViewOnly=TRUE 154100x80000000000000004474Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:58:10.991{F02F376E-0362-6422-D200-00000000D602}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355187Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xbd4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000022841Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3696","Execution_ThreadID":"3472","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3696","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:58:08.698677Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:58:10Z"} 7300x8000000000000022840Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3696","Execution_ThreadID":"3472","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3696","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:58:08.6982408Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:58:10Z"} 7300x8000000000000022839Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFD980000","EventID":"5","Execution_ProcessID":"3696","Execution_ThreadID":"3472","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFD980000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3696","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:58:08.5261709Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:58:10Z"} 154100x80000000000000004473Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:58:10.126{F02F376E-0362-6422-D100-00000000D602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355186Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xea0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004472Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:58:09.295{F02F376E-0361-6422-D000-00000000D602}3696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355185Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe70C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355184Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe64C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004471Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:58:06.948{F02F376E-035E-6422-CF00-00000000D602}3684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 154100x80000000000000004470Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:58:05.518{F02F376E-035D-6422-CE00-00000000D602}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355183Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xdecC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000006498Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:57:34.501{f73635a5-033e-6422-4601-000000004902}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006497Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:57:33.640{f73635a5-033d-6422-4501-000000004902}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006496Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:57:32.792{f73635a5-033c-6422-4401-000000004902}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006495Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:57:30.481{f73635a5-033a-6422-4301-000000004902}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006494Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:57:27.777{f73635a5-0337-6422-4201-000000004902}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000004469Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:10.970{F02F376E-0326-6422-CD00-00000000D602}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355182Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd64C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004468Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:10.102{F02F376E-0326-6422-CC00-00000000D602}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355181Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xc7cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000022838Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"1136","Execution_ThreadID":"3864","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:57:08.7024932Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:57:10Z"} 7300x8000000000000022837Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"1136","Execution_ThreadID":"3864","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:57:08.7020525Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:57:10Z"} 7300x8000000000000022836Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"1136","Execution_ThreadID":"2664","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1136","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:57:08.498579Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:57:10Z"} 154100x80000000000000004467Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:09.289{F02F376E-0325-6422-CB00-00000000D602}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355180Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x470C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000355179Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf9cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004466Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:06.986{F02F376E-0322-6422-CA00-00000000D602}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355178Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfbcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004465Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:05.509{F02F376E-0321-6422-C900-00000000D602}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 22542200x80000000000000004464Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:57:02.582{F02F376E-FF57-6421-1200-00000000D602}1000ar-win-dc.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICE 3504000x8000000000000000120383Systemar-win-dc.attackrange.localtime.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->168.61.215.74:123)12556200084 14403000x8000000000000000120382Systemar-win-dc.attackrange.local 22542200x80000000000000006493Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:40.963{f73635a5-ff5c-6421-2c00-000000004902}1320ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE 22542200x80000000000000006492Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:40.957{f73635a5-ff5c-6421-2c00-000000004902}1320ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;::ffff:10.0.1.14;C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICE 3704000x8000000000000000120381Systemar-win-dc.attackrange.localtime.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->168.61.215.74:123) 13704000x8000000000000000120380Systemar-win-dc.attackrange.localtime.windows.com,0x8 154100x80000000000000006491Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:34.525{f73635a5-0302-6422-4101-000000004902}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 22542200x80000000000000006490Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:33.208{f73635a5-ff58-6421-0c00-000000004902}612_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ar-win-dc.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEM 154100x80000000000000006489Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:33.652{f73635a5-0301-6422-4001-000000004902}624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006488Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:32.799{f73635a5-0300-6422-3f01-000000004902}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006487Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:30.482{f73635a5-02fe-6422-3e01-000000004902}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006486Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:27.802{f73635a5-02fb-6422-3d01-000000004902}596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000004463Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:56:10.949{F02F376E-02EA-6422-C800-00000000D602}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355177Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x7f4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 22542200x80000000000000006485Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:08.776{f73635a5-ff58-6421-0c00-000000004902}612ar-win-dc.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEM 22542200x80000000000000006484Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:56:08.776{f73635a5-ff58-6421-0c00-000000004902}612ar-win-dc.attackrange.local0fe80::ccd8:364c:b6d:dab2;C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEM 7300x8000000000000022835Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"3668","Execution_ThreadID":"3860","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:56:09.4785007Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:56:10Z"} 7300x8000000000000022834Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"3668","Execution_ThreadID":"3860","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:56:09.4780379Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:56:10Z"} 7300x8000000000000022833Applicationar-win-2.attackrange.local{"Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFBB20000","EventID":"5","Execution_ProcessID":"3668","Execution_ThreadID":"3788","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFBB20000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:56:09.2971146Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:56:10Z"} 4688201331200x8020000000000000355176Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xe54C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004462Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:56:10.086{F02F376E-02EA-6422-C700-00000000D602}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355175Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xa18C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004461Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:56:09.272{F02F376E-02E9-6422-C600-00000000D602}2584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 7014100x80000000000000133Directory Servicear-win-dc.attackrange.localNTDS612,D,0NTDSA: C:\Windows\NTDS\ntds.dit03/27/20230116 1869041800x8080000000000000134Directory Servicear-win-dc.attackrange.local\\ar-win-dc.attackrange.localDefault-First-Site-Name 7004100x80000000000000132Directory Servicear-win-dc.attackrange.localNTDS612,D,0NTDSA: C:\Windows\NTDS\ntds.dit 326410x80000000000000131Directory Servicear-win-dc.attackrange.localNTDS612,D,50NTDSA: 1C:\Windows\NTDS\ntds.dit0 [1] 0.000004 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) [2] 0.000611 -0.000466 (1) WT +J(0) +M(C:0K, Fs:20, WS:12K # 0K, PF:12K # 0K, P:12K) [3] 0.015100 -0.005474 (6) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:3480/2) +M(C:0K, Fs:16, WS:56K # 0K, PF:124K # 0K, P:124K) [4] 0.000104 +J(0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) [5] - [6] - [7] - [8] 0.004021 -0.001472 (2) CM -0.000836 (2) WT +J(CM:2, PgRf:2, Rd:4/2, Dy:0/0, Lg:0/0) +M(C:16K, Fs:49, WS:188K # 0K, PF:208K # 0K, P:208K) [9] 0.005725 -0.003457 (5) CM -0.003271 (5) WT +J(CM:5, PgRf:24, Rd:0/5, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:29, WS:88K # 0K, PF:196K # 0K, P:196K) [10] 0.002638 -0.002443 (4) CM -0.002294 (4) WT +J(CM:4, PgRf:40, Rd:0/4, Dy:0/0, Lg:0/0) +M(C:-4K, Fs:4, WS:4K # 0K, PF:60K # 0K, P:60K) [11] 0.000543 -0.000504 (1) CM -0.000469 (1) WT +J(CM:1, PgRf:1, Rd:0/1, Dy:0/0, Lg:0/0) +M(C:0K, Fs:2, WS:4K # 0K, PF:0K # 0K, P:0K) [12] 0.000035 +J(CM:0, PgRf:42, Rd:0/0, Dy:0/0, Lg:0/0) +M(C:0K, Fs:1, WS:4K # 0K, PF:0K # 0K, P:0K) [13] 0.0 +J(0) [14] 0.0 +J(0) [15] 0.000004 +J(CM:0, PgRf:1, Rd:0/0, Dy:0/0, Lg:0/0).0 0lgposAttach = 00000010:07A1:0268 105410x80000000000000130Directory Servicear-win-dc.attackrange.localNTDS612,D,0NTDSA: 00 [1] 0.000480 +J(0) +M(C:0K, Fs:82, WS:304K # 0K, PF:2424K # 0K, P:2424K) [2] 0.000587 +J(0) +M(C:16K, Fs:138, WS:544K # 264K, PF:1132K # 632K, P:1132K) [3] 0.000017 +J(0) +M(C:0K, Fs:5, WS:20K # 20K, PF:64K # 64K, P:64K) [4] 0.008846 -0.000382 (1) WT +J(0) +M(C:0K, Fs:125, WS:416K # 416K, PF:7636K # 7636K, P:7636K) [5] 0.000252 +J(0) [6] 0.003255 +J(0) +M(C:0K, Fs:24, WS:92K # 92K, PF:12K # 12K, P:12K) [7] 0.072353 -0.063424 (41) WT +J(0) +M(C:0K, Fs:2577, WS:10288K # 10288K, PF:10260K # 10260K, P:10260K) [8] - [9] - [10] - [11] - [12] - [13] 0.035818 -0.029263 (42) WT +J(CM:0, PgRf:0, Rd:0/0, Dy:0/0, Lg:616/1) +M(C:0K, Fs:21, WS:-10168K # 68K, PF:-10188K # 84K, P:-10188K) [14] 0.000018 +J(0) +M(C:0K, Fs:2, WS:8K # 0K, PF:0K # 0K, P:0K) [15] 0.000760 +J(0) +M(C:0K, Fs:811, WS:3240K # 0K, PF:68K # 0K, P:68K) [16] 0.000658 -0.000440 (1) WT +J(0) +M(C:0K, Fs:3, WS:0K # 0K, PF:0K # 0K, P:0K). 102410x80000000000000129Directory Servicear-win-dc.attackrange.localNTDS612,P,98NTDSA: 01000177630000 4688201331200x8020000000000000355174Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xd90C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004460Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:56:06.978{F02F376E-02E6-6422-C500-00000000D602}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355173Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xeacC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004459Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:56:05.500{F02F376E-02E5-6422-C400-00000000D602}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952--- 614804000x8000000000000000120379Systemar-win-dc.attackrange.local 154100x80000000000000006483Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:55:34.526{f73635a5-02c6-6422-3c01-000000004902}2992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006482Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:55:33.640{f73635a5-02c5-6422-3b01-000000004902}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006481Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:55:32.778{f73635a5-02c4-6422-3a01-000000004902}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006480Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:55:30.468{f73635a5-02c2-6422-3901-000000004902}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}3132--- 154100x80000000000000006479Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2023-03-27 20:55:27.803{f73635a5-02bf-6422-3801-000000004902}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{f73635a5-ff58-6421-e703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}3132--- 4688201331200x8020000000000000355172Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x3b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004458Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:55:10.954{F02F376E-02AE-6422-C300-00000000D602}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}1952--- 7300x8000000000000022832Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB220000","EventID":"5","Execution_ProcessID":"616","Execution_ThreadID":"608","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB220000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"616","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:55:08.6839693Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:55:10Z"} 7300x8000000000000022831Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFB250000","EventID":"5","Execution_ProcessID":"616","Execution_ThreadID":"608","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFB250000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"616","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:55:08.6835429Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:55:10Z"} 7300x8000000000000022830Applicationar-win-2.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\"","Computer":"ar-win-2","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFCFD980000","EventID":"5","Execution_ProcessID":"616","Execution_ThreadID":"608","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe","ImageBase":"0x7FFCFD980000","ImageCheckSum":"144503","ImageLoaded":"\\Windows\\System32\\netapi32.dll","ImageName":"\\Windows\\System32\\netapi32.dll","ImageSize":"0x19000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\netapi32.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"616","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2371-g4c3296ce7/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-27T20:55:08.4955357Z","TimeDateStamp":"1664518880","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-27T20:55:10Z"} 4688201331200x8020000000000000355171Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x96cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004457Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:55:10.065{F02F376E-02AE-6422-C200-00000000D602}2412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355170Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004456Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:55:09.264{F02F376E-02AD-6422-C100-00000000D602}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355169Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x470C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004455Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:55:06.976{F02F376E-02AA-6422-C000-00000000D602}1136C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}1952--- 4688201331200x8020000000000000355168Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xf9cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7a0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000004454Microsoft-Windows-Sysmon/Operationalar-win-2.attackrange.local-2023-03-27 20:55:05.494{F02F376E-02A9-6422-BF00-00000000D602}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{F02F376E-FF56-6421-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}1952---