354300x80000000000000002149891Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:44.374{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39070-false10.0.1.12-8000- 354300x80000000000000002149892Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:47.236{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42056-false10.0.1.12-8089- 534500x80000000000000002149894Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:48.854{ec230001-60ee-6262-90a6-023818560000}724/lib/systemd/systemd-networkdsystemd-network 354300x80000000000000002149893Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:48.854{ec230001-60ee-6262-90a6-023818560000}724/lib/systemd/systemd-networkd-udpfalsefalse0.0.0.0-0-false10.0.1.20-68- 354300x80000000000000002149895Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:48.855{ec230001-60ed-6262-7046-269c90550000}665/lib/systemd/systemd-timesyncdsystemd-timesyncudptruefalse10.0.1.20-36645-false169.254.169.123-123- 354300x80000000000000002149896Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:49.409{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39074-false10.0.1.12-8000- 154100x80000000000000002149898Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:53.786{ec230001-9931-6262-e087-8ddb2f560000}4945/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149897Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:53.786{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-59390-false10.0.1.20-22- 534500x80000000000000002149899Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:54.460{ec230001-9931-6262-0000-000000000000}4946-sshd 534500x80000000000000002149900Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:54.461{ec230001-9931-6262-e087-8ddb2f560000}4945/usr/sbin/sshdroot 354300x80000000000000002149901Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:55.336{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39076-false10.0.1.12-8000- 154100x80000000000000002149902Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:59.625{ec230001-9937-6262-6894-1b050e560000}4947/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002149903Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:01:59.641{ec230001-9937-6262-6894-1b050e560000}4947/bin/psroot 354300x80000000000000002149904Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:00.344{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39078-false10.0.1.12-8000- 534500x80000000000000002149905Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:00.347{ec230001-60ec-6262-c89a-4e13d6550000}462/lib/systemd/systemd-journaldroot 534500x80000000000000002149906Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:00.355{ec230001-60ec-6262-c89a-4e13d6550000}462/lib/systemd/systemd-journaldroot 23542300x80000000000000002149907Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:00.981{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002149908Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:06.292{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39080-false10.0.1.12-8000- 354300x80000000000000002149909Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:11.299{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39082-false10.0.1.12-8000- 23542300x80000000000000002149912Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:16.207{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db/snapshot.old/btree_records.dat--- 23542300x80000000000000002149911Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:16.207{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db/snapshot.old/snap.dat--- 23542300x80000000000000002149910Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:16.207{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db/snapshot.old/btree_index.dat--- 354300x80000000000000002149913Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:16.359{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39084-false10.0.1.12-8000- 354300x80000000000000002149914Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:22.338{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39086-false10.0.1.12-8000- 154100x80000000000000002149916Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:22.855{ec230001-994e-6262-e0c7-5d5bde550000}4950/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149915Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:22.855{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-36330-false10.0.1.20-22- 534500x80000000000000002149917Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:23.534{ec230001-994e-6262-0000-000000000000}4951-sshd 534500x80000000000000002149918Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:23.535{ec230001-994e-6262-e0c7-5d5bde550000}4950/usr/sbin/sshdroot 354300x80000000000000002149919Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:27.369{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39088-false10.0.1.12-8000- 23542300x80000000000000002149920Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:30.981{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002149921Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:32.394{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39090-false10.0.1.12-8000- 354300x80000000000000002149922Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:38.238{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39092-false10.0.1.12-8000- 354300x80000000000000002149923Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:43.429{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39094-false10.0.1.12-8000- 354300x80000000000000002149924Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:47.240{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42080-false10.0.1.12-8089- 354300x80000000000000002149925Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:49.284{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39098-false10.0.1.12-8000- 354300x80000000000000002149926Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:51.432{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-41332-false10.0.1.20-22- 154100x80000000000000002149927Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:51.433{ec230001-996b-6262-e0e7-7bfaa6550000}4952/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 534500x80000000000000002149928Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:52.124{ec230001-996b-6262-0000-000000000000}4953-sshd 534500x80000000000000002149929Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:52.126{ec230001-996b-6262-e0e7-7bfaa6550000}4952/usr/sbin/sshdroot 354300x80000000000000002149930Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:02:54.378{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39100-false10.0.1.12-8000- 354300x80000000000000002149931Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:00.249{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39102-false10.0.1.12-8000- 154100x80000000000000002149932Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:00.642{ec230001-9974-6262-6874-b77c9f550000}4954/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002149933Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:00.656{ec230001-9974-6262-6874-b77c9f550000}4954/bin/psroot 23542300x80000000000000002149934Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:00.983{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002149935Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:05.422{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39104-false10.0.1.12-8000- 534500x80000000000000002149936Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:05.988{00000000-0000-0000-0000-000000000000}4851<unknown process>root 534500x80000000000000002149937Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:10.236{00000000-0000-0000-0000-000000000000}2084<unknown process>root 354300x80000000000000002149938Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:11.297{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39106-false10.0.1.12-8000- 354300x80000000000000002149939Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:16.386{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39108-false10.0.1.12-8000- 154100x80000000000000002149941Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:20.221{ec230001-9988-6262-e0e7-bb0769550000}4955/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149940Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:20.221{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-46280-false10.0.1.20-22- 534500x80000000000000002149943Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:20.921{ec230001-9988-6262-e0e7-bb0769550000}4955/usr/sbin/sshdroot 534500x80000000000000002149942Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:20.921{ec230001-9988-6262-0000-000000000000}4956-sshd 354300x80000000000000002149944Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:21.479{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39110-false10.0.1.12-8000- 354300x80000000000000002149945Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:27.422{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39112-false10.0.1.12-8000- 23542300x80000000000000002149946Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:30.983{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002149947Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:32.479{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39114-false10.0.1.12-8000- 354300x80000000000000002149948Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:38.249{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39116-false10.0.1.12-8000- 354300x80000000000000002149949Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:43.370{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39118-false10.0.1.12-8000- 354300x80000000000000002149950Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:47.245{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42104-false10.0.1.12-8089- 354300x80000000000000002149951Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:48.757{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-51376-false10.0.1.20-22- 154100x80000000000000002149952Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:48.758{ec230001-99a4-6262-e0e7-b81474550000}4957/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149953Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:49.262{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39122-false10.0.1.12-8000- 534500x80000000000000002149955Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:49.440{ec230001-99a4-6262-e0e7-b81474550000}4957/usr/sbin/sshdroot 534500x80000000000000002149954Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:49.440{ec230001-99a4-6262-0000-000000000000}4958-sshd 354300x80000000000000002149956Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:03:54.465{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39124-false10.0.1.12-8000- 354300x80000000000000002149957Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:00.274{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39126-false10.0.1.12-8000- 23542300x80000000000000002149958Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:00.982{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x80000000000000002149959Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:01.695{ec230001-99b1-6262-6844-73307a550000}4960/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002149960Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:01.705{ec230001-99b1-6262-6844-73307a550000}4960/bin/psroot 354300x80000000000000002149961Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:05.429{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39128-false10.0.1.12-8000- 354300x80000000000000002149962Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:11.333{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39130-false10.0.1.12-8000- 354300x80000000000000002149963Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:16.361{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39132-false10.0.1.12-8000- 154100x80000000000000002149965Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:17.136{ec230001-99c1-6262-e047-2a2607560000}4961/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149964Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:17.136{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-56446-false10.0.1.20-22- 534500x80000000000000002149966Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:17.807{ec230001-99c1-6262-0000-000000000000}4962-sshd 534500x80000000000000002149967Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:17.808{ec230001-99c1-6262-e047-2a2607560000}4961/usr/sbin/sshdroot 354300x80000000000000002149968Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:22.256{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39134-false10.0.1.12-8000- 354300x80000000000000002149969Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:28.254{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39136-false10.0.1.12-8000- 23542300x80000000000000002149970Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:30.982{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002149971Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:33.418{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39138-false10.0.1.12-8000- 354300x80000000000000002149972Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:39.275{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39140-false10.0.1.12-8000- 354300x80000000000000002149973Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:44.280{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39142-false10.0.1.12-8000- 154100x80000000000000002149975Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:45.511{ec230001-99dd-6262-e057-3bd40d560000}4963/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149974Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:45.511{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-33260-false10.0.1.20-22- 534500x80000000000000002149976Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:46.179{ec230001-99dd-6262-0000-000000000000}4964-sshd 534500x80000000000000002149977Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:46.180{ec230001-99dd-6262-e057-3bd40d560000}4963/usr/sbin/sshdroot 354300x80000000000000002149978Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:47.249{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42128-false10.0.1.12-8089- 354300x80000000000000002149979Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:49.372{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39146-false10.0.1.12-8000- 354300x80000000000000002149980Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:54.435{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39148-false10.0.1.12-8000- 354300x80000000000000002149981Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:04:59.442{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39150-false10.0.1.12-8000- 23542300x80000000000000002149982Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:00.982{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x80000000000000002149983Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:02.706{ec230001-99ee-6262-6824-1c734f560000}4965/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002149984Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:02.725{ec230001-99ee-6262-6824-1c734f560000}4965/bin/psroot 354300x80000000000000002149985Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:04.481{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39152-false10.0.1.12-8000- 354300x80000000000000002149986Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:10.396{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39154-false10.0.1.12-8000- 154100x80000000000000002149988Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:14.021{ec230001-99fa-6262-e057-e8e2b8550000}4966/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149987Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:14.021{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-38290-false10.0.1.20-22- 534500x80000000000000002149989Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:14.709{ec230001-99fa-6262-0000-000000000000}4967-sshd 534500x80000000000000002149990Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:14.710{ec230001-99fa-6262-e057-e8e2b8550000}4966/usr/sbin/sshdroot 354300x80000000000000002149991Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:16.389{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39156-false10.0.1.12-8000- 154100x80000000000000002149993Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:18.924{ec230001-99fe-6262-e0f7-5ef970550000}4968/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002149992Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:18.924{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse212.187.221.34-52627-false10.0.1.20-22- 534500x80000000000000002149994Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.723{ec230001-99fa-6262-0000-000000000000}4969-sshd 154100x80000000000000002149995Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.728{ec230001-99ff-6262-6852-d60c5f550000}4970/bin/dash-----sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99fe-6262-e0f7-5ef970550000}4968/usr/sbin/sshd/usr/sbin/sshdroot 154100x80000000000000002149997Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.729{ec230001-99ff-6262-385a-55ef91550000}4971/bin/run-parts-----run-parts --lsbsysinit /etc/update-motd.d/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6852-d60c5f550000}4970/bin/dashshroot 154100x80000000000000002149996Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.729{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env-----/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6852-d60c5f550000}4970/bin/dashshroot 154100x80000000000000002149998Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.730{ec230001-99ff-6262-6802-e4c8d6550000}4972/bin/dash-----/bin/sh /etc/update-motd.d/00-header/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150000Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.731{ec230001-99ff-6262-804e-40b40e560000}4973/bin/unameroot 154100x80000000000000002149999Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.731{ec230001-99ff-6262-804e-40b40e560000}4973/bin/uname-----uname -o/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6802-e4c8d6550000}4972/bin/dash/bin/shroot 154100x80000000000000002150003Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.732{ec230001-99ff-6262-801e-173f01560000}4975/bin/uname-----uname -m/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6802-e4c8d6550000}4972/bin/dash/bin/shroot 534500x80000000000000002150002Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.732{ec230001-99ff-6262-80fe-6bfd68550000}4974/bin/unameroot 154100x80000000000000002150001Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.732{ec230001-99ff-6262-80fe-6bfd68550000}4974/bin/uname-----uname -r/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6802-e4c8d6550000}4972/bin/dash/bin/shroot 154100x80000000000000002150006Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.733{ec230001-99ff-6262-6892-c4edcc550000}4976/bin/dash-----/bin/sh /etc/update-motd.d/10-help-text/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150005Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.733{ec230001-99ff-6262-6802-e4c8d6550000}4972/bin/dashroot 534500x80000000000000002150004Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.733{ec230001-99ff-6262-801e-173f01560000}4975/bin/unameroot 154100x80000000000000002150009Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.734{ec230001-99ff-6262-506c-de3c92550000}4978/bin/grep-----grep -c ^processor /proc/cpuinfo/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6832-8f8171550000}4977/bin/dash/bin/shroot 154100x80000000000000002150008Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.734{ec230001-99ff-6262-6832-8f8171550000}4977/bin/dash-----/bin/sh /etc/update-motd.d/50-landscape-sysinfo/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150007Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.734{ec230001-99ff-6262-6892-c4edcc550000}4976/bin/dashroot 154100x80000000000000002150012Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.736{ec230001-99ff-6262-b890-31c5ee550000}4982/usr/bin/cut-----cut -f1 -d /proc/loadavg/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}4980--- 154100x80000000000000002150011Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.736{ec230001-99ff-6262-98bf-8603b3550000}4981/usr/bin/bc-----bc/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}4979--- 534500x80000000000000002150010Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.736{ec230001-99ff-6262-506c-de3c92550000}4978/bin/greproot 154100x80000000000000002150017Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.737{ec230001-99ff-6262-08df-f2e168550000}4983/bin/date-----/bin/date/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6832-8f8171550000}4977/bin/dash/bin/shroot 534500x80000000000000002150016Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.737{ec230001-99fa-6262-0000-000000000000}4979-root 534500x80000000000000002150015Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.737{ec230001-99ff-6262-98bf-8603b3550000}4981/usr/bin/bcroot 534500x80000000000000002150014Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.737{ec230001-99fa-6262-0000-000000000000}4980-root 534500x80000000000000002150013Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.737{ec230001-99ff-6262-b890-31c5ee550000}4982/usr/bin/cutroot 154100x80000000000000002150019Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.738{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6-----/usr/bin/python3 /usr/bin/landscape-sysinfo/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-6832-8f8171550000}4977/bin/dash/bin/shroot 534500x80000000000000002150018Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.738{ec230001-99ff-6262-08df-f2e168550000}4983/bin/dateroot 154100x80000000000000002150021Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.852{ec230001-99ff-6262-b8f1-68fc787f0000}4985/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6/usr/bin/python3root 154100x80000000000000002150020Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.852{ec230001-99ff-6262-68a2-e5dda4550000}4985/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150022Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.854{ec230001-99ff-6262-68a2-e5dda4550000}4985/bin/dashroot 154100x80000000000000002150024Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.880{ec230001-99ff-6262-b871-068a267f0000}4986/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6/usr/bin/python3root 154100x80000000000000002150023Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.880{ec230001-99ff-6262-68a2-767c75550000}4986/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150025Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.882{ec230001-99ff-6262-68a2-767c75550000}4986/bin/dashroot 534500x80000000000000002150026Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:19.980{00000000-0000-0000-0000-000000000000}4987<unknown process>root 154100x80000000000000002150027Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.013{ec230001-9a00-6262-f043-041007560000}4988/usr/bin/who-----who -q/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150028Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.016{ec230001-9a00-6262-f043-041007560000}4988/usr/bin/whoroot 534500x80000000000000002150029Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.053{ec230001-99ff-6262-503c-7b0000000000}4984/usr/bin/python3.6root 154100x80000000000000002150031Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.054{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dash-----/bin/sh /etc/update-motd.d/50-motd-news/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150030Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.054{ec230001-99ff-6262-6832-8f8171550000}4977/bin/dashroot 154100x80000000000000002150035Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.055{ec230001-9a00-6262-d0f9-8873e5550000}4990/bin/cat-----cat /var/cache/motd-news/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dash/bin/shroot 154100x80000000000000002150034Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.055{ec230001-9a00-6262-b8a0-4a6803560000}4993/usr/bin/cut-----cut -c -80/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dash/bin/shroot 154100x80000000000000002150033Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.055{ec230001-9a00-6262-e065-ecfcbf550000}4992/usr/bin/tr-----tr -d \000-\011\013\014\016-\037/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dash/bin/shroot 154100x80000000000000002150032Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.055{ec230001-9a00-6262-78f2-2ee6b6550000}4991/usr/bin/head-----head -n 10/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dash/bin/shroot 534500x80000000000000002150037Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.056{ec230001-9a00-6262-78f2-2ee6b6550000}4991/usr/bin/headroot 534500x80000000000000002150036Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.056{ec230001-9a00-6262-d0f9-8873e5550000}4990/bin/catroot 534500x80000000000000002150042Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.057{ec230001-9a00-6262-68a2-de8ec5550000}4994/bin/dashroot 154100x80000000000000002150041Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.057{ec230001-9a00-6262-68a2-de8ec5550000}4994/bin/dash-----/bin/sh /etc/update-motd.d/88-esm-announce/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150040Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.057{ec230001-9a00-6262-68e2-dbb494550000}4989/bin/dashroot 534500x80000000000000002150039Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.057{ec230001-9a00-6262-e065-ecfcbf550000}4992/usr/bin/trroot 534500x80000000000000002150038Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.057{ec230001-9a00-6262-b8a0-4a6803560000}4993/usr/bin/cutroot 154100x80000000000000002150044Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.058{ec230001-9a00-6262-d089-be176a550000}4996/bin/cat-----cat /var/lib/update-notifier/updates-available/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6882-dd5f14560000}4995/bin/dash/bin/shroot 154100x80000000000000002150043Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.058{ec230001-9a00-6262-6882-dd5f14560000}4995/bin/dash-----/bin/sh /etc/update-motd.d/90-updates-available/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150047Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.059{ec230001-9a00-6262-6892-3ad070550000}4997/bin/dash-----/bin/sh /etc/update-motd.d/91-contract-ua-esm-status/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150046Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.059{ec230001-9a00-6262-6882-dd5f14560000}4995/bin/dashroot 534500x80000000000000002150045Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.059{ec230001-9a00-6262-d089-be176a550000}4996/bin/catroot 154100x80000000000000002150055Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.060{ec230001-9a00-6262-6872-dd9eed550000}4998/bin/dash-----/bin/sh -e /usr/lib/ubuntu-release-upgrader/release-upgrade-motd/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150049Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.060{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dash-----/bin/sh /etc/update-motd.d/91-release-upgrade/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150048Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.060{ec230001-9a00-6262-6892-3ad070550000}4997/bin/dashroot 154100x80000000000000002150051Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.061{ec230001-9a00-6262-b820-c8d1fe550000}5001/usr/bin/cut-----cut -d -f4/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}4999--- 154100x80000000000000002150050Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.061{ec230001-9a00-6262-503c-7b0000000000}5000/usr/bin/python3.6-----/usr/bin/python3 -Es /usr/bin/lsb_release -sd/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}4999--- 534500x80000000000000002150054Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.103{ec230001-99fa-6262-0000-000000000000}4999-root 534500x80000000000000002150053Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.103{ec230001-9a00-6262-b820-c8d1fe550000}5001/usr/bin/cutroot 534500x80000000000000002150052Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.103{ec230001-9a00-6262-503c-7b0000000000}5000/usr/bin/python3.6root 534500x80000000000000002150057Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.104{ec230001-9a00-6262-088f-5da6b9550000}5002/bin/dateroot 154100x80000000000000002150056Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.104{ec230001-9a00-6262-088f-5da6b9550000}5002/bin/date-----date +%s/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dash/bin/shroot 154100x80000000000000002150058Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.105{ec230001-9a00-6262-8864-e76665550000}5003/usr/bin/stat-----stat -c %Y /var/lib/ubuntu-release-upgrader/release-upgrade-available/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dash/bin/shroot 154100x80000000000000002150062Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.106{ec230001-9a00-6262-d0f9-3563d5550000}5005/bin/cat-----cat /var/lib/ubuntu-release-upgrader/release-upgrade-available/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dash/bin/shroot 534500x80000000000000002150061Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.106{ec230001-9a00-6262-98b5-cecbd4550000}5004/usr/bin/exprroot 154100x80000000000000002150060Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.106{ec230001-9a00-6262-98b5-cecbd4550000}5004/usr/bin/expr-----expr 1650615355 + 86400/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dash/bin/shroot 534500x80000000000000002150059Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.106{ec230001-9a00-6262-8864-e76665550000}5003/usr/bin/statroot 154100x80000000000000002150066Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.107{ec230001-9a00-6262-68b2-5e5a17560000}5006/bin/dash-----/bin/sh /usr/share/unattended-upgrades/update-motd-unattended-upgrades/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150065Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.107{ec230001-9a00-6262-68f2-3f1d50560000}5006/bin/dash-----/bin/sh /etc/update-motd.d/92-unattended-upgrades/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150064Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.107{ec230001-9a00-6262-6862-c832cd550000}4998/bin/dashroot 534500x80000000000000002150063Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.107{ec230001-9a00-6262-d0f9-3563d5550000}5005/bin/catroot 534500x80000000000000002150067Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.108{ec230001-9a00-6262-68f2-3f1d50560000}5006/bin/dashroot 154100x80000000000000002150069Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.109{ec230001-9a00-6262-6882-8ce349560000}5007/bin/dash-----/bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150068Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.109{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash-----/bin/sh /etc/update-motd.d/95-hwe-eol/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150070Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.110{ec230001-9a00-6262-7314-0326b9550000}5008/usr/bin/apt-config-----apt-config shell StateDir Dir::State/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 154100x80000000000000002150071Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.114{ec230001-9a00-6262-7081-2330b5550000}5009/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-7314-0326b9550000}5008/usr/bin/apt-configapt-configroot 154100x80000000000000002150074Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.116{ec230001-9a00-6262-7314-706e1d560000}5010/usr/bin/apt-config-----apt-config shell ListDir Dir::State::Lists/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 534500x80000000000000002150073Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.116{ec230001-9a00-6262-7314-0326b9550000}5008/usr/bin/apt-configroot 534500x80000000000000002150072Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.116{ec230001-9a00-6262-7081-2330b5550000}5009/usr/bin/dpkgroot 154100x80000000000000002150075Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.121{ec230001-9a00-6262-70a1-0abc41560000}5011/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-7314-706e1d560000}5010/usr/bin/apt-configapt-configroot 534500x80000000000000002150076Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.125{ec230001-9a00-6262-70a1-0abc41560000}5011/usr/bin/dpkgroot 154100x80000000000000002150078Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.126{ec230001-9a00-6262-7374-123acb550000}5012/usr/bin/apt-config-----apt-config shell DpkgStatus Dir::State::status/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 534500x80000000000000002150077Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.126{ec230001-9a00-6262-7314-706e1d560000}5010/usr/bin/apt-configroot 154100x80000000000000002150079Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.130{ec230001-9a00-6262-70f1-653a63550000}5013/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-7374-123acb550000}5012/usr/bin/apt-configapt-configroot 534500x80000000000000002150081Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.133{ec230001-9a00-6262-7374-123acb550000}5012/usr/bin/apt-configroot 534500x80000000000000002150080Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.133{ec230001-9a00-6262-70f1-653a63550000}5013/usr/bin/dpkgroot 154100x80000000000000002150082Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.134{ec230001-9a00-6262-7374-8bc6eb550000}5014/usr/bin/apt-config-----apt-config shell EtcDir Dir::Etc/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 154100x80000000000000002150083Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.138{ec230001-9a00-6262-7061-1900cf550000}5015/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-7374-8bc6eb550000}5014/usr/bin/apt-configapt-configroot 534500x80000000000000002150085Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.141{ec230001-9a00-6262-7374-8bc6eb550000}5014/usr/bin/apt-configroot 534500x80000000000000002150084Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.141{ec230001-9a00-6262-7061-1900cf550000}5015/usr/bin/dpkgroot 154100x80000000000000002150086Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.142{ec230001-9a00-6262-7344-9507fd550000}5016/usr/bin/apt-config-----apt-config shell SourceList Dir::Etc::sourcelist/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 154100x80000000000000002150087Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.147{ec230001-9a00-6262-70b1-9eb6c6550000}5017/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-7344-9507fd550000}5016/usr/bin/apt-configapt-configroot 534500x80000000000000002150089Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.149{ec230001-9a00-6262-7344-9507fd550000}5016/usr/bin/apt-configroot 534500x80000000000000002150088Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.149{ec230001-9a00-6262-70b1-9eb6c6550000}5017/usr/bin/dpkgroot 154100x80000000000000002150090Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.150{ec230001-9a00-6262-9030-b2d31e560000}5018/usr/bin/find-----find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/hwe-eol -print -quit/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 154100x80000000000000002150094Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.151{ec230001-9a00-6262-a860-8951ed550000}5019/bin/mktemp-----mktemp -p /var/lib/update-notifier/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 154100x80000000000000002150092Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.151{ec230001-9a00-6262-e838-15fc6f550000}5020/usr/bin/dirname-----dirname /var/lib/update-notifier/hwe-eol/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}5019--- 534500x80000000000000002150091Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.151{ec230001-9a00-6262-9030-b2d31e560000}5018/usr/bin/findroot 534500x80000000000000002150093Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.152{ec230001-9a00-6262-e838-15fc6f550000}5020/usr/bin/dirnameroot 154100x80000000000000002150098Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.153{ec230001-9a00-6262-7073-574a64550000}5022/bin/rm-----rm -f /var/lib/update-notifier/tmp.qPqiJcZDUI/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 534500x80000000000000002150097Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.153{ec230001-9a00-6262-d049-f7f08f550000}5021/bin/catroot 154100x80000000000000002150096Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.153{ec230001-9a00-6262-d049-f7f08f550000}5021/bin/cat-----cat /var/lib/update-notifier/hwe-eol/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dash/bin/shroot 534500x80000000000000002150095Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.153{ec230001-9a00-6262-a860-8951ed550000}5019/bin/mktemproot 154100x80000000000000002150102Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.154{ec230001-9a00-6262-68c2-0fe977550000}5023/bin/dash-----/bin/sh /etc/update-motd.d/97-overlayroot/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150101Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.154{ec230001-9a00-6262-6852-0d23fe550000}5007/bin/dashroot 534500x80000000000000002150100Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.154{ec230001-9a00-6262-7073-574a64550000}5022/bin/rmroot 23542300x80000000000000002150099Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.154{ec230001-9a00-6262-7073-574a64550000}5022root/bin/rm/var/lib/update-notifier/tmp.qPqiJcZDUI--- 154100x80000000000000002150105Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.155{ec230001-9a00-6262-501c-2d87aa550000}5025/bin/grep-----grep -E overlayroot|/media/root-ro|/media/root-rw /proc/mounts/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}5024--- 154100x80000000000000002150104Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.155{ec230001-9a00-6262-18fa-b86a9b550000}5026/usr/bin/sort-----sort -r/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}5024--- 154100x80000000000000002150103Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.155{ec230001-9a00-6262-6882-200805560000}5025/bin/dash-----/bin/sh /bin/egrep overlayroot|/media/root-ro|/media/root-rw /proc/mounts/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}5024--- 534500x80000000000000002150107Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.156{ec230001-9a00-6262-18fa-b86a9b550000}5026/usr/bin/sortroot 534500x80000000000000002150106Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.156{ec230001-9a00-6262-6882-200805560000}5025/bin/dashroot 154100x80000000000000002150111Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.157{ec230001-9a00-6262-68d2-3d0c86550000}5027/bin/dash-----/bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150110Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.157{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dash-----/bin/sh /etc/update-motd.d/98-fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150109Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.157{ec230001-9a00-6262-68c2-0fe977550000}5023/bin/dashroot 534500x80000000000000002150108Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.157{00000000-0000-0000-0000-000000000000}5024<unknown process>root 154100x80000000000000002150112Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.159{ec230001-9a00-6262-8834-ecfd96550000}5028/usr/bin/stat-----stat -c %Y /var/lib/update-notifier/fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dash/bin/shroot 154100x80000000000000002150116Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.160{ec230001-9a00-6262-080f-512168550000}5029/bin/date-----date -d now - 14618.84 seconds +%s/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dash/bin/shroot 154100x80000000000000002150114Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.160{ec230001-9a00-6262-f05c-4375b7550000}5030/usr/bin/gawk-----awk {print $1} /proc/uptime/root{ec230001-0000-0000-0000-000000000000}08no level-{00000000-0000-0000-0000-000000000000}5029--- 534500x80000000000000002150113Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.160{ec230001-9a00-6262-8834-ecfd96550000}5028/usr/bin/statroot 154100x80000000000000002150118Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.162{ec230001-9a00-6262-086f-348567550000}5031/bin/date-----date +%s/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dash/bin/shroot 534500x80000000000000002150117Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.162{ec230001-9a00-6262-080f-512168550000}5029/bin/dateroot 534500x80000000000000002150115Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.162{ec230001-9a00-6262-f05c-4375b7550000}5030/usr/bin/gawkroot 154100x80000000000000002150120Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.163{ec230001-9a00-6262-d0c9-96b43c560000}5032/bin/cat-----cat /var/lib/update-notifier/fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dash/bin/shroot 534500x80000000000000002150119Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.163{ec230001-9a00-6262-086f-348567550000}5031/bin/dateroot 534500x80000000000000002150122Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.164{ec230001-9a00-6262-6842-55fb2f560000}5027/bin/dashroot 534500x80000000000000002150121Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.164{ec230001-9a00-6262-d0c9-96b43c560000}5032/bin/catroot 534500x80000000000000002150125Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.165{ec230001-9a00-6262-6882-4810cd550000}5033/bin/dashroot 154100x80000000000000002150124Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.165{ec230001-9a00-6262-68d2-0da34a560000}5033/bin/dash-----/bin/sh -e /usr/lib/update-notifier/update-motd-reboot-required/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 154100x80000000000000002150123Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.165{ec230001-9a00-6262-6882-4810cd550000}5033/bin/dash-----/bin/sh /etc/update-motd.d/98-reboot-required/root{ec230001-0000-0000-0000-000000000000}08no level-{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/env/usr/bin/envroot 534500x80000000000000002150127Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.166{ec230001-99ff-6262-6852-d60c5f550000}4970/bin/dashroot 534500x80000000000000002150126Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.166{ec230001-99ff-6262-78fc-9c4fc7550000}4971/usr/bin/envroot 154100x80000000000000002150128Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.513{ec230001-9a00-6262-0894-5ed9d0550000}5035/bin/bash------bash/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{00000000-0000-0000-0000-000000000000}5034--- 154100x80000000000000002150129Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.516{ec230001-9a00-6262-889e-05dd48560000}5037/usr/bin/locale-check-----/usr/bin/locale-check C.UTF-8/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{00000000-0000-0000-0000-000000000000}5036--- 534500x80000000000000002150131Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.517{ec230001-99fa-6262-0000-000000000000}5036-ubuntu 534500x80000000000000002150130Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.517{ec230001-9a00-6262-889e-05dd48560000}5037/usr/bin/locale-checkubuntu 154100x80000000000000002150132Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.518{ec230001-9a00-6262-3010-73f82d560000}5038/usr/bin/locale-----locale/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{ec230001-9a00-6262-0894-5ed9d0550000}5035/bin/bash-bashubuntu 534500x80000000000000002150133Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.519{ec230001-9a00-6262-3010-73f82d560000}5038/usr/bin/localeubuntu 534500x80000000000000002150134Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.521{ec230001-99fa-6262-0000-000000000000}5039-ubuntu 154100x80000000000000002150135Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.541{ec230001-9a00-6262-68d2-f81e61550000}5041/bin/dash-----/bin/sh /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{00000000-0000-0000-0000-000000000000}5040--- 534500x80000000000000002150137Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.542{ec230001-9a00-6262-e8bb-087d4f560000}5042/usr/bin/basenameubuntu 154100x80000000000000002150136Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.542{ec230001-9a00-6262-e8bb-087d4f560000}5042/usr/bin/basename-----basename /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{ec230001-9a00-6262-68d2-f81e61550000}5041/bin/dash/bin/shubuntu 154100x80000000000000002150138Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.543{ec230001-9a00-6262-e8f8-8acf26560000}5044/usr/bin/dirname-----dirname /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{00000000-0000-0000-0000-000000000000}5043--- 534500x80000000000000002150140Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.544{ec230001-9a00-6262-0000-000000000000}5043-ubuntu 534500x80000000000000002150139Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.544{ec230001-9a00-6262-e8f8-8acf26560000}5044/usr/bin/dirnameubuntu 534500x80000000000000002150142Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.545{ec230001-9a00-6262-0000-000000000000}5040-ubuntu 534500x80000000000000002150141Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.545{ec230001-9a00-6262-68d2-f81e61550000}5041/bin/dashubuntu 154100x80000000000000002150143Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.546{ec230001-9a00-6262-48a9-ed302f560000}5046/usr/bin/dircolors-----dircolors -b/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{00000000-0000-0000-0000-000000000000}5045--- 534500x80000000000000002150145Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.547{ec230001-9a00-6262-0000-000000000000}5045-ubuntu 534500x80000000000000002150144Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:20.547{ec230001-9a00-6262-48a9-ed302f560000}5046/usr/bin/dircolorsubuntu 354300x80000000000000002150146Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:22.374{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39158-false10.0.1.12-8000- 154100x80000000000000002150147Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:25.977{ec230001-9a05-6262-9c36-c6d8e9550000}5047/sbin/ifconfig-----ifconfig/home/ubuntuubuntu{ec230001-9a01-6262-e803-000001000000}10008no level-{ec230001-9a00-6262-0894-5ed9d0550000}5035/bin/bash-bashubuntu 534500x80000000000000002150148Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:25.980{ec230001-9a05-6262-9c36-c6d8e9550000}5047/sbin/ifconfigubuntu 354300x80000000000000002150149Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:27.390{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39160-false10.0.1.12-8000- 23542300x80000000000000002150150Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:30.862{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150151Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:32.468{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39162-false10.0.1.12-8000- 354300x80000000000000002150152Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:38.412{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39164-false10.0.1.12-8000- 154100x80000000000000002150154Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:42.615{ec230001-9a16-6262-e067-6895f0550000}5048/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150153Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:42.615{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-43548-false10.0.1.20-22- 534500x80000000000000002150155Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:43.321{ec230001-9a16-6262-0000-000000000000}5049-sshd 534500x80000000000000002150156Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:43.322{ec230001-9a16-6262-e067-6895f0550000}5048/usr/sbin/sshdroot 354300x80000000000000002150157Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:43.429{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39166-false10.0.1.12-8000- 354300x80000000000000002150158Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:47.254{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42152-false10.0.1.12-8089- 354300x80000000000000002150159Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:48.429{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39170-false10.0.1.12-8000- 154100x80000000000000002150161Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:52.548{ec230001-9a20-6262-e0c7-0ef4c7550000}5050/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150160Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:52.548{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse10.0.1.14-51434-false10.0.1.20-22- 354300x80000000000000002150162Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:53.482{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39172-false10.0.1.12-8000- 354300x80000000000000002150163Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:05:59.413{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39174-false10.0.1.12-8000- 23542300x80000000000000002150164Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:00.980{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x80000000000000002150165Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:03.785{ec230001-9a2b-6262-6844-c25d40560000}5052/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150166Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:03.798{ec230001-9a2b-6262-6844-c25d40560000}5052/bin/psroot 354300x80000000000000002150167Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:05.355{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39176-false10.0.1.12-8000- 354300x80000000000000002150168Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:11.358{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-48406-false10.0.1.20-22- 154100x80000000000000002150169Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:11.359{ec230001-9a33-6262-e047-1f01e4550000}5053/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 534500x80000000000000002150170Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:12.047{ec230001-9a33-6262-0000-000000000000}5054-sshd 534500x80000000000000002150171Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:12.048{ec230001-9a33-6262-e047-1f01e4550000}5053/usr/sbin/sshdroot 354300x80000000000000002150172Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:16.407{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39180-false10.0.1.12-8000- 354300x80000000000000002150173Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:21.418{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39182-false10.0.1.12-8000- 354300x80000000000000002150174Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:27.268{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39184-false10.0.1.12-8000- 23542300x80000000000000002150175Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:30.980{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150176Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:32.372{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39186-false10.0.1.12-8000- 354300x80000000000000002150177Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:38.247{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39188-false10.0.1.12-8000- 154100x80000000000000002150179Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.058{ec230001-9a51-6262-e017-ee6b11560000}5055/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150178Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.058{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-53572-false10.0.1.20-22- 534500x80000000000000002150180Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.140{ec230001-9a20-6262-0000-000000000000}5051-sshd 154100x80000000000000002150181Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.146{ec230001-9a51-6262-68c2-f506c1550000}5057/bin/dash-----sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a20-6262-e0c7-0ef4c7550000}5050/usr/sbin/sshd/usr/sbin/sshdroot 154100x80000000000000002150183Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.147{ec230001-9a51-6262-38ca-53d75f550000}5058/bin/run-parts-----run-parts --lsbsysinit /etc/update-motd.d/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-f506c1550000}5057/bin/dashshroot 154100x80000000000000002150182Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.147{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env-----/usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-f506c1550000}5057/bin/dashshroot 154100x80000000000000002150184Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.148{ec230001-9a51-6262-6822-f48508560000}5059/bin/dash-----/bin/sh /etc/update-motd.d/00-header/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150185Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.149{ec230001-9a51-6262-806e-fd7b9d550000}5060/bin/uname-----uname -o/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6822-f48508560000}5059/bin/dash/bin/shroot 154100x80000000000000002150189Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.150{ec230001-9a51-6262-808e-48fb7f550000}5062/bin/uname-----uname -m/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6822-f48508560000}5059/bin/dash/bin/shroot 534500x80000000000000002150188Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.150{ec230001-9a51-6262-806e-1fd09c550000}5061/bin/unameroot 154100x80000000000000002150187Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.150{ec230001-9a51-6262-806e-1fd09c550000}5061/bin/uname-----uname -r/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6822-f48508560000}5059/bin/dash/bin/shroot 534500x80000000000000002150186Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.150{ec230001-9a51-6262-806e-fd7b9d550000}5060/bin/unameroot 154100x80000000000000002150192Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.151{ec230001-9a51-6262-68c2-f35c35560000}5063/bin/dash-----/bin/sh /etc/update-motd.d/10-help-text/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150191Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.151{ec230001-9a51-6262-6822-f48508560000}5059/bin/dashroot 534500x80000000000000002150190Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.151{ec230001-9a51-6262-808e-48fb7f550000}5062/bin/unameroot 154100x80000000000000002150194Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.152{ec230001-9a51-6262-68e2-7a0e91550000}5064/bin/dash-----/bin/sh /etc/update-motd.d/50-landscape-sysinfo/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150193Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.152{ec230001-9a51-6262-68c2-f35c35560000}5063/bin/dashroot 154100x80000000000000002150195Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.153{ec230001-9a51-6262-50ec-e47743560000}5065/bin/grep-----grep -c ^processor /proc/cpuinfo/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68e2-7a0e91550000}5064/bin/dash/bin/shroot 154100x80000000000000002150198Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.154{ec230001-9a51-6262-989f-31c799550000}5068/usr/bin/bc-----bc/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5066--- 154100x80000000000000002150197Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.154{ec230001-9a51-6262-b8c0-f61c2d560000}5069/usr/bin/cut-----cut -f1 -d /proc/loadavg/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5067--- 534500x80000000000000002150196Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.154{ec230001-9a51-6262-50ec-e47743560000}5065/bin/greproot 154100x80000000000000002150203Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.155{ec230001-9a51-6262-08df-519b8d550000}5070/bin/date-----/bin/date/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68e2-7a0e91550000}5064/bin/dash/bin/shroot 534500x80000000000000002150202Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.155{ec230001-9a20-6262-0000-000000000000}5066-root 534500x80000000000000002150201Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.155{ec230001-9a51-6262-989f-31c799550000}5068/usr/bin/bcroot 534500x80000000000000002150200Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.155{00000000-0000-0000-0000-000000000000}5067<unknown process>root 534500x80000000000000002150199Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.155{ec230001-9a51-6262-b8c0-f61c2d560000}5069/usr/bin/cutroot 154100x80000000000000002150205Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.156{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6-----/usr/bin/python3 /usr/bin/landscape-sysinfo/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68e2-7a0e91550000}5064/bin/dash/bin/shroot 534500x80000000000000002150204Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.156{ec230001-9a51-6262-08df-519b8d550000}5070/bin/dateroot 154100x80000000000000002150207Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.270{ec230001-9a51-6262-b841-83fc207f0000}5072/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6/usr/bin/python3root 154100x80000000000000002150206Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.270{ec230001-9a51-6262-68d2-cf28ef550000}5072/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150208Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.272{ec230001-9a51-6262-68d2-cf28ef550000}5072/bin/dashroot 154100x80000000000000002150210Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.299{ec230001-9a51-6262-b871-80a1907f0000}5073/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6/usr/bin/python3root 154100x80000000000000002150209Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.299{ec230001-9a51-6262-6842-05e742560000}5073/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150211Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.301{ec230001-9a51-6262-6842-05e742560000}5073/bin/dashroot 534500x80000000000000002150212Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.402{00000000-0000-0000-0000-000000000000}5074<unknown process>root 154100x80000000000000002150213Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.439{ec230001-9a51-6262-f093-4381f7550000}5075/usr/bin/who-----who -q/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6/usr/bin/python3root 534500x80000000000000002150214Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.442{ec230001-9a51-6262-f093-4381f7550000}5075/usr/bin/whoroot 154100x80000000000000002150217Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.486{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dash-----/bin/sh /etc/update-motd.d/50-motd-news/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150216Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.486{ec230001-9a51-6262-68e2-7a0e91550000}5064/bin/dashroot 534500x80000000000000002150215Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.486{ec230001-9a51-6262-503c-7b0000000000}5071/usr/bin/python3.6root 154100x80000000000000002150221Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.487{ec230001-9a51-6262-b820-e1049a550000}5080/usr/bin/cut-----cut -c -80/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dash/bin/shroot 154100x80000000000000002150220Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.487{ec230001-9a51-6262-e0c5-acf8a2550000}5079/usr/bin/tr-----tr -d \000-\011\013\014\016-\037/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dash/bin/shroot 154100x80000000000000002150219Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.487{ec230001-9a51-6262-7852-ef3e0e560000}5078/usr/bin/head-----head -n 10/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dash/bin/shroot 154100x80000000000000002150218Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.487{ec230001-9a51-6262-d0e9-d5ad48560000}5077/bin/cat-----cat /var/cache/motd-news/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dash/bin/shroot 534500x80000000000000002150225Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.488{ec230001-9a51-6262-b820-e1049a550000}5080/usr/bin/cutroot 534500x80000000000000002150224Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.488{ec230001-9a51-6262-e0c5-acf8a2550000}5079/usr/bin/trroot 534500x80000000000000002150223Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.488{ec230001-9a51-6262-7852-ef3e0e560000}5078/usr/bin/headroot 534500x80000000000000002150222Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.488{ec230001-9a51-6262-d0e9-d5ad48560000}5077/bin/catroot 534500x80000000000000002150226Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.489{ec230001-9a51-6262-6802-7978ef550000}5076/bin/dashroot 154100x80000000000000002150229Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.491{ec230001-9a51-6262-6892-0e0038560000}5082/bin/dash-----/bin/sh /etc/update-motd.d/90-updates-available/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150228Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.491{ec230001-9a51-6262-6832-66c39d550000}5081/bin/dashroot 154100x80000000000000002150227Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.491{ec230001-9a51-6262-6832-66c39d550000}5081/bin/dash-----/bin/sh /etc/update-motd.d/88-esm-announce/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150231Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.492{ec230001-9a51-6262-d0c9-1e7823560000}5083/bin/catroot 154100x80000000000000002150230Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.492{ec230001-9a51-6262-d0c9-1e7823560000}5083/bin/cat-----cat /var/lib/update-notifier/updates-available/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6892-0e0038560000}5082/bin/dash/bin/shroot 154100x80000000000000002150241Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.493{ec230001-9a51-6262-6862-4ef7a2550000}5085/bin/dash-----/bin/sh -e /usr/lib/ubuntu-release-upgrader/release-upgrade-motd/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150235Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.493{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dash-----/bin/sh /etc/update-motd.d/91-release-upgrade/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150234Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.493{ec230001-9a51-6262-68b2-ba0390550000}5084/bin/dashroot 154100x80000000000000002150233Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.493{ec230001-9a51-6262-68b2-ba0390550000}5084/bin/dash-----/bin/sh /etc/update-motd.d/91-contract-ua-esm-status/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150232Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.493{ec230001-9a51-6262-6892-0e0038560000}5082/bin/dashroot 154100x80000000000000002150237Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.494{ec230001-9a51-6262-b800-579910560000}5088/usr/bin/cut-----cut -d -f4/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5086--- 154100x80000000000000002150236Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.494{ec230001-9a51-6262-503c-7b0000000000}5087/usr/bin/python3.6-----/usr/bin/python3 -Es /usr/bin/lsb_release -sd/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5086--- 534500x80000000000000002150238Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.539{ec230001-9a51-6262-503c-7b0000000000}5087/usr/bin/python3.6root 154100x80000000000000002150242Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.540{ec230001-9a51-6262-08af-edcb8c550000}5089/bin/date-----date +%s/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dash/bin/shroot 534500x80000000000000002150240Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.540{ec230001-9a20-6262-0000-000000000000}5086-root 534500x80000000000000002150239Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.540{ec230001-9a51-6262-b800-579910560000}5088/usr/bin/cutroot 154100x80000000000000002150244Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.541{ec230001-9a51-6262-8804-13a671550000}5090/usr/bin/stat-----stat -c %Y /var/lib/ubuntu-release-upgrader/release-upgrade-available/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dash/bin/shroot 534500x80000000000000002150243Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.541{ec230001-9a51-6262-08af-edcb8c550000}5089/bin/dateroot 154100x80000000000000002150246Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.542{ec230001-9a51-6262-98e5-f56e18560000}5091/usr/bin/expr-----expr 1650615355 + 86400/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dash/bin/shroot 534500x80000000000000002150245Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.542{ec230001-9a51-6262-8804-13a671550000}5090/usr/bin/statroot 154100x80000000000000002150248Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.543{ec230001-9a51-6262-d029-1abf4b560000}5092/bin/cat-----cat /var/lib/ubuntu-release-upgrader/release-upgrade-available/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dash/bin/shroot 534500x80000000000000002150247Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.543{ec230001-9a51-6262-98e5-f56e18560000}5091/usr/bin/exprroot 154100x80000000000000002150252Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.544{ec230001-9a51-6262-68c2-2a77ff550000}5093/bin/dash-----/bin/sh /usr/share/unattended-upgrades/update-motd-unattended-upgrades/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150251Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.544{ec230001-9a51-6262-68b2-50d4bb550000}5093/bin/dash-----/bin/sh /etc/update-motd.d/92-unattended-upgrades/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150250Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.544{ec230001-9a51-6262-6832-1610a7550000}5085/bin/dashroot 534500x80000000000000002150249Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.544{ec230001-9a51-6262-d029-1abf4b560000}5092/bin/catroot 154100x80000000000000002150255Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.545{ec230001-9a51-6262-6852-efefed550000}5094/bin/dash-----/bin/sh -e /usr/lib/update-notifier/update-motd-hwe-eol/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150254Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.545{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash-----/bin/sh /etc/update-motd.d/95-hwe-eol/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150253Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.545{ec230001-9a51-6262-68b2-50d4bb550000}5093/bin/dashroot 154100x80000000000000002150256Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.546{ec230001-9a51-6262-7384-c5fd7f550000}5095/usr/bin/apt-config-----apt-config shell StateDir Dir::State/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 154100x80000000000000002150257Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.550{ec230001-9a51-6262-70b1-73735f550000}5096/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-7384-c5fd7f550000}5095/usr/bin/apt-configapt-configroot 154100x80000000000000002150260Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.552{ec230001-9a51-6262-73d4-3361e7550000}5097/usr/bin/apt-config-----apt-config shell ListDir Dir::State::Lists/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150259Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.552{ec230001-9a51-6262-7384-c5fd7f550000}5095/usr/bin/apt-configroot 534500x80000000000000002150258Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.552{ec230001-9a51-6262-70b1-73735f550000}5096/usr/bin/dpkgroot 154100x80000000000000002150261Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.556{ec230001-9a51-6262-7081-99abbb550000}5098/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-73d4-3361e7550000}5097/usr/bin/apt-configapt-configroot 534500x80000000000000002150262Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.558{ec230001-9a51-6262-7081-99abbb550000}5098/usr/bin/dpkgroot 154100x80000000000000002150264Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.559{ec230001-9a51-6262-7384-d2c066550000}5099/usr/bin/apt-config-----apt-config shell DpkgStatus Dir::State::status/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150263Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.559{ec230001-9a51-6262-73d4-3361e7550000}5097/usr/bin/apt-configroot 154100x80000000000000002150265Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.563{ec230001-9a51-6262-7091-393305560000}5100/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-7384-d2c066550000}5099/usr/bin/apt-configapt-configroot 534500x80000000000000002150266Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.565{ec230001-9a51-6262-7091-393305560000}5100/usr/bin/dpkgroot 154100x80000000000000002150268Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.566{ec230001-9a51-6262-7384-44ccb3550000}5101/usr/bin/apt-config-----apt-config shell EtcDir Dir::Etc/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150267Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.566{ec230001-9a51-6262-7384-d2c066550000}5099/usr/bin/apt-configroot 154100x80000000000000002150269Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.570{ec230001-9a51-6262-70f1-7d8ef4550000}5102/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-7384-44ccb3550000}5101/usr/bin/apt-configapt-configroot 534500x80000000000000002150271Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.572{ec230001-9a51-6262-7384-44ccb3550000}5101/usr/bin/apt-configroot 534500x80000000000000002150270Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.572{ec230001-9a51-6262-70f1-7d8ef4550000}5102/usr/bin/dpkgroot 154100x80000000000000002150272Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.573{ec230001-9a51-6262-73b4-e6bf73550000}5103/usr/bin/apt-config-----apt-config shell SourceList Dir::Etc::sourcelist/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 154100x80000000000000002150273Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.576{ec230001-9a51-6262-7041-15b1d2550000}5104/usr/bin/dpkg-----/usr/bin/dpkg --print-foreign-architectures/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-73b4-e6bf73550000}5103/usr/bin/apt-configapt-configroot 534500x80000000000000002150274Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.578{ec230001-9a51-6262-7041-15b1d2550000}5104/usr/bin/dpkgroot 154100x80000000000000002150276Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.579{ec230001-9a51-6262-9030-1ff0ec550000}5105/usr/bin/find-----find /var/lib/apt/lists/ /etc/apt/sources.list //var/lib/dpkg/status -type f -newer /var/lib/update-notifier/hwe-eol -print -quit/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150275Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.579{ec230001-9a51-6262-73b4-e6bf73550000}5103/usr/bin/apt-configroot 154100x80000000000000002150280Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.581{ec230001-9a51-6262-a890-6184c1550000}5106/bin/mktemp-----mktemp -p /var/lib/update-notifier/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 154100x80000000000000002150278Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.581{ec230001-9a51-6262-e838-3892d7550000}5107/usr/bin/dirname-----dirname /var/lib/update-notifier/hwe-eol/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5106--- 534500x80000000000000002150277Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.581{ec230001-9a51-6262-9030-1ff0ec550000}5105/usr/bin/findroot 534500x80000000000000002150279Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.582{ec230001-9a51-6262-e838-3892d7550000}5107/usr/bin/dirnameroot 154100x80000000000000002150282Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.583{ec230001-9a51-6262-d0e9-965173550000}5108/bin/cat-----cat /var/lib/update-notifier/hwe-eol/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150281Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.583{ec230001-9a51-6262-a890-6184c1550000}5106/bin/mktemproot 534500x80000000000000002150287Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.584{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dashroot 534500x80000000000000002150286Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.584{ec230001-9a51-6262-7053-fb084c560000}5109/bin/rmroot 23542300x80000000000000002150285Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.584{ec230001-9a51-6262-7053-fb084c560000}5109root/bin/rm/var/lib/update-notifier/tmp.aHJK3eQBrz--- 154100x80000000000000002150284Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.584{ec230001-9a51-6262-7053-fb084c560000}5109/bin/rm-----rm -f /var/lib/update-notifier/tmp.aHJK3eQBrz/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-68c2-a91d91550000}5094/bin/dash/bin/shroot 534500x80000000000000002150283Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.584{ec230001-9a51-6262-d0e9-965173550000}5108/bin/catroot 154100x80000000000000002150291Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.585{ec230001-9a51-6262-508c-95bb23560000}5112/bin/grep-----grep -E overlayroot|/media/root-ro|/media/root-rw /proc/mounts/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5111--- 154100x80000000000000002150290Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.585{ec230001-9a51-6262-182a-798b21560000}5113/usr/bin/sort-----sort -r/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5111--- 154100x80000000000000002150289Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.585{ec230001-9a51-6262-68c2-f532ff550000}5112/bin/dash-----/bin/sh /bin/egrep overlayroot|/media/root-ro|/media/root-rw /proc/mounts/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5111--- 154100x80000000000000002150288Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.585{ec230001-9a51-6262-6812-f91353560000}5110/bin/dash-----/bin/sh /etc/update-motd.d/97-overlayroot/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150292Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.587{ec230001-9a51-6262-68c2-f532ff550000}5112/bin/dashroot 534500x80000000000000002150294Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.588{ec230001-9a51-6262-0000-000000000000}5111-root 534500x80000000000000002150293Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.588{ec230001-9a51-6262-182a-798b21560000}5113/usr/bin/sortroot 154100x80000000000000002150297Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.590{ec230001-9a51-6262-68f2-613b42560000}5114/bin/dash-----/bin/sh /usr/lib/update-notifier/update-motd-fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150296Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.590{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dash-----/bin/sh /etc/update-motd.d/98-fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150295Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.590{ec230001-9a51-6262-6812-f91353560000}5110/bin/dashroot 154100x80000000000000002150298Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.591{ec230001-9a51-6262-8844-8be876550000}5115/usr/bin/stat-----stat -c %Y /var/lib/update-notifier/fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dash/bin/shroot 154100x80000000000000002150302Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.592{ec230001-9a51-6262-086f-89f136560000}5116/bin/date-----date -d now - 14700.28 seconds +%s/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dash/bin/shroot 154100x80000000000000002150300Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.592{ec230001-9a51-6262-f05c-de8d9f550000}5117/usr/bin/gawk-----awk {print $1} /proc/uptime/root{ec230001-0000-0000-0000-000000000000}09no level-{00000000-0000-0000-0000-000000000000}5116--- 534500x80000000000000002150299Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.592{ec230001-9a51-6262-8844-8be876550000}5115/usr/bin/statroot 534500x80000000000000002150303Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.594{ec230001-9a51-6262-086f-89f136560000}5116/bin/dateroot 534500x80000000000000002150301Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.594{ec230001-9a51-6262-f05c-de8d9f550000}5117/usr/bin/gawkroot 154100x80000000000000002150306Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.595{ec230001-9a51-6262-d089-08017a550000}5119/bin/cat-----cat /var/lib/update-notifier/fsck-at-reboot/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dash/bin/shroot 534500x80000000000000002150305Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.595{ec230001-9a51-6262-083f-1eb398550000}5118/bin/dateroot 154100x80000000000000002150304Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.595{ec230001-9a51-6262-083f-1eb398550000}5118/bin/date-----date +%s/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dash/bin/shroot 154100x80000000000000002150310Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.596{ec230001-9a51-6262-6842-1437eb550000}5120/bin/dash-----/bin/sh -e /usr/lib/update-notifier/update-motd-reboot-required/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 154100x80000000000000002150309Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.596{ec230001-9a51-6262-6862-7a2c71550000}5120/bin/dash-----/bin/sh /etc/update-motd.d/98-reboot-required/root{ec230001-0000-0000-0000-000000000000}09no level-{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/env/usr/bin/envroot 534500x80000000000000002150308Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.596{ec230001-9a51-6262-6872-3822d1550000}5114/bin/dashroot 534500x80000000000000002150307Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.596{ec230001-9a51-6262-d089-08017a550000}5119/bin/catroot 534500x80000000000000002150313Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.597{ec230001-9a51-6262-68c2-f506c1550000}5057/bin/dashroot 534500x80000000000000002150312Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.597{ec230001-9a51-6262-787c-30a8a0550000}5058/usr/bin/envroot 534500x80000000000000002150311Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.597{ec230001-9a51-6262-6862-7a2c71550000}5120/bin/dashroot 154100x80000000000000002150314Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.651{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash------bash/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{00000000-0000-0000-0000-000000000000}5121--- 154100x80000000000000002150315Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.654{ec230001-9a51-6262-88ae-2c004a560000}5124/usr/bin/locale-check-----/usr/bin/locale-check C.UTF-8/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{00000000-0000-0000-0000-000000000000}5123--- 534500x80000000000000002150317Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.656{ec230001-9a51-6262-0000-000000000000}5123-ubuntu 534500x80000000000000002150316Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.656{ec230001-9a51-6262-88ae-2c004a560000}5124/usr/bin/locale-checkubuntu 154100x80000000000000002150318Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.658{ec230001-9a51-6262-3080-87767c550000}5125/usr/bin/locale-----locale/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150319Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.659{ec230001-9a51-6262-3080-87767c550000}5125/usr/bin/localeubuntu 534500x80000000000000002150320Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.661{ec230001-9a51-6262-0000-000000000000}5126-ubuntu 154100x80000000000000002150321Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.679{ec230001-9a51-6262-68a2-8ef5ca550000}5128/bin/dash-----/bin/sh /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{00000000-0000-0000-0000-000000000000}5127--- 154100x80000000000000002150322Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.680{ec230001-9a51-6262-e8cb-283ed4550000}5129/usr/bin/basename-----basename /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-68a2-8ef5ca550000}5128/bin/dash/bin/shubuntu 534500x80000000000000002150323Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.681{ec230001-9a51-6262-e8cb-283ed4550000}5129/usr/bin/basenameubuntu 154100x80000000000000002150324Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.682{ec230001-9a51-6262-e8d8-70dba1550000}5131/usr/bin/dirname-----dirname /usr/bin/lesspipe/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{00000000-0000-0000-0000-000000000000}5130--- 534500x80000000000000002150328Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.683{ec230001-9a51-6262-0000-000000000000}5127-ubuntu 534500x80000000000000002150327Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.683{ec230001-9a51-6262-68a2-8ef5ca550000}5128/bin/dashubuntu 534500x80000000000000002150326Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.683{00000000-0000-0000-0000-000000000000}5130<unknown process>ubuntu 534500x80000000000000002150325Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.683{ec230001-9a51-6262-e8d8-70dba1550000}5131/usr/bin/dirnameubuntu 154100x80000000000000002150329Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.685{ec230001-9a51-6262-4899-23d6cd550000}5133/usr/bin/dircolors-----dircolors -b/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{00000000-0000-0000-0000-000000000000}5132--- 534500x80000000000000002150331Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.686{00000000-0000-0000-0000-000000000000}5132<unknown process>ubuntu 534500x80000000000000002150330Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.686{ec230001-9a51-6262-4899-23d6cd550000}5133/usr/bin/dircolorsubuntu 534500x80000000000000002150332Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.746{ec230001-9a51-6262-0000-000000000000}5056-sshd 534500x80000000000000002150333Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:41.747{ec230001-9a51-6262-e017-ee6b11560000}5055/usr/sbin/sshdroot 354300x80000000000000002150334Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:43.345{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39190-false10.0.1.12-8000- 354300x80000000000000002150335Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:47.259{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42176-false10.0.1.12-8089- 354300x80000000000000002150336Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:48.461{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39194-false10.0.1.12-8000- 154100x80000000000000002150337Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:49.700{ec230001-9a59-6262-e856-366158550000}5134/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150338Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:49.703{ec230001-9a59-6262-e856-366158550000}5134/bin/lsubuntu 354300x80000000000000002150339Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:54.417{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39196-false10.0.1.12-8000- 534500x80000000000000002150340Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:57.127{00000000-0000-0000-0000-000000000000}5135<unknown process>ubuntu 23542300x80000000000000002150342Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:57.128{ec230001-9a51-6262-08a4-887865550000}5122ubuntu/bin/bash/tmp/sh-thd.TLCSX1--- 534500x80000000000000002150341Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:57.128{ec230001-9a51-6262-0000-000000000000}5136-ubuntu 154100x80000000000000002150343Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:58.273{ec230001-9a62-6262-80c2-4a0f84550000}5137/bin/nano-----nano soloshred.sh/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 354300x80000000000000002150344Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:06:59.422{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39198-false10.0.1.12-8000- 534500x80000000000000002150345Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:00.414{ec230001-60ec-6262-c89a-4e13d6550000}462/lib/systemd/systemd-journaldroot 23542300x80000000000000002150346Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:00.980{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x80000000000000002150347Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:04.799{ec230001-9a68-6262-6804-0b8cb8550000}5139/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150348Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:04.812{ec230001-9a68-6262-6804-0b8cb8550000}5139/bin/psroot 354300x80000000000000002150349Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:05.381{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39200-false10.0.1.12-8000- 154100x80000000000000002150351Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:09.446{ec230001-9a6d-6262-e0d7-312633560000}5140/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150350Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:09.446{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-58460-false10.0.1.20-22- 534500x80000000000000002150353Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:10.115{ec230001-9a6d-6262-e0d7-312633560000}5140/usr/sbin/sshdroot 534500x80000000000000002150352Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:10.115{ec230001-9a6d-6262-0000-000000000000}5141-sshd 354300x80000000000000002150354Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:11.246{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39202-false10.0.1.12-8000- 23542300x80000000000000002150355Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:16.238{ec230001-9a62-6262-80c2-4a0f84550000}5137ubuntu/bin/nano/home/ubuntu/./.soloshred.sh.swp--- 354300x80000000000000002150356Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:16.483{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39204-false10.0.1.12-8000- 354300x80000000000000002150357Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:22.417{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39206-false10.0.1.12-8000- 354300x80000000000000002150358Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:28.327{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39208-false10.0.1.12-8000- 23542300x80000000000000002150359Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:30.982{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150360Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:33.369{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39210-false10.0.1.12-8000- 154100x80000000000000002150362Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:38.014{ec230001-9a8a-6262-e087-520efb550000}5142/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150361Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:38.014{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-35356-false10.0.1.20-22- 354300x80000000000000002150363Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:38.481{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39212-false10.0.1.12-8000- 534500x80000000000000002150364Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:38.694{ec230001-9a8a-6262-0000-000000000000}5143-sshd 534500x80000000000000002150365Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:38.697{ec230001-9a8a-6262-e087-520efb550000}5142/usr/sbin/sshdroot 354300x80000000000000002150366Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:44.374{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39214-false10.0.1.12-8000- 354300x80000000000000002150367Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:47.263{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42200-false10.0.1.12-8089- 354300x80000000000000002150368Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:50.325{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39218-false10.0.1.12-8000- 354300x80000000000000002150369Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:07:56.272{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39220-false10.0.1.12-8000- 23542300x80000000000000002150370Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:00.982{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150371Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:01.272{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39222-false10.0.1.12-8000- 154100x80000000000000002150372Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:05.872{ec230001-9aa5-6262-68b4-a741f8550000}5144/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150373Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:05.884{ec230001-9aa5-6262-68b4-a741f8550000}5144/bin/psroot 354300x80000000000000002150374Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:06.362{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39224-false10.0.1.12-8000- 154100x80000000000000002150376Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:06.907{ec230001-9aa6-6262-e0a7-45e99d550000}5145/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150375Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:06.907{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-40464-false10.0.1.20-22- 534500x80000000000000002150377Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:07.585{ec230001-9aa6-6262-0000-000000000000}5146-sshd 534500x80000000000000002150378Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:07.586{ec230001-9aa6-6262-e0a7-45e99d550000}5145/usr/sbin/sshdroot 354300x80000000000000002150379Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:11.364{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39226-false10.0.1.12-8000- 354300x80000000000000002150380Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:16.461{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39228-false10.0.1.12-8000- 354300x80000000000000002150381Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:21.485{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39230-false10.0.1.12-8000- 354300x80000000000000002150382Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:27.326{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39232-false10.0.1.12-8000- 23542300x80000000000000002150383Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:30.981{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150384Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:33.268{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39234-false10.0.1.12-8000- 354300x80000000000000002150385Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:36.522{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-45448-false10.0.1.20-22- 154100x80000000000000002150386Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:36.523{ec230001-9ac4-6262-e037-cd91f5550000}5147/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 534500x80000000000000002150387Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:37.185{ec230001-9ac4-6262-0000-000000000000}5148-sshd 534500x80000000000000002150388Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:37.186{ec230001-9ac4-6262-e037-cd91f5550000}5147/usr/sbin/sshdroot 354300x80000000000000002150389Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:38.271{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39236-false10.0.1.12-8000- 354300x80000000000000002150390Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:43.451{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39238-false10.0.1.12-8000- 354300x80000000000000002150391Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:47.267{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42224-false10.0.1.12-8089- 354300x80000000000000002150392Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:49.285{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39242-false10.0.1.12-8000- 354300x80000000000000002150393Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:08:55.270{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39244-false10.0.1.12-8000- 354300x80000000000000002150394Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:00.434{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39246-false10.0.1.12-8000- 23542300x80000000000000002150395Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:00.981{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150396Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:05.455{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39248-false10.0.1.12-8000- 354300x80000000000000002150397Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:06.598{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-50492-false10.0.1.20-22- 154100x80000000000000002150398Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:06.599{ec230001-9ae2-6262-e007-46b0d3550000}5149/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 154100x80000000000000002150399Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:06.885{ec230001-9ae2-6262-68c4-3e072c560000}5151/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150400Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:06.898{ec230001-9ae2-6262-68c4-3e072c560000}5151/bin/psroot 534500x80000000000000002150401Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:07.260{ec230001-9ae2-6262-0000-000000000000}5150-sshd 534500x80000000000000002150402Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:07.261{ec230001-9ae2-6262-e007-46b0d3550000}5149/usr/sbin/sshdroot 354300x80000000000000002150403Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:11.320{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39250-false10.0.1.12-8000- 534500x80000000000000002150404Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:11.324{00000000-0000-0000-0000-000000000000}4824<unknown process>root 354300x80000000000000002150405Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:16.426{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39252-false10.0.1.12-8000- 354300x80000000000000002150406Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:22.341{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39254-false10.0.1.12-8000- 354300x80000000000000002150407Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:27.376{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39256-false10.0.1.12-8000- 23542300x80000000000000002150408Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:30.861{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150409Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:32.410{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39258-false10.0.1.12-8000- 354300x80000000000000002150410Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:37.646{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-55530-false10.0.1.20-22- 154100x80000000000000002150411Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:37.647{ec230001-9b01-6262-e007-12a929560000}5152/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 534500x80000000000000002150412Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:38.331{ec230001-9b01-6262-0000-000000000000}5153-sshd 534500x80000000000000002150413Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:38.332{ec230001-9b01-6262-e007-12a929560000}5152/usr/sbin/sshdroot 354300x80000000000000002150414Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:38.404{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39260-false10.0.1.12-8000- 354300x80000000000000002150415Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:44.288{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39262-false10.0.1.12-8000- 354300x80000000000000002150416Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:47.271{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42248-false10.0.1.12-8089- 354300x80000000000000002150417Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:49.336{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39266-false10.0.1.12-8000- 354300x80000000000000002150418Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:09:55.302{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39268-false10.0.1.12-8000- 354300x80000000000000002150419Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:00.444{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39270-false10.0.1.12-8000- 23542300x80000000000000002150420Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:00.979{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150421Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:05.457{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39272-false10.0.1.12-8000- 154100x80000000000000002150422Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:07.958{ec230001-9b1f-6262-6884-ffe4ac550000}5155/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150423Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:07.970{ec230001-9b1f-6262-6884-ffe4ac550000}5155/bin/psroot 154100x80000000000000002150425Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:08.025{ec230001-9b20-6262-e057-0dc1c1550000}5156/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150424Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:08.025{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-60666-false10.0.1.20-22- 534500x80000000000000002150426Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:08.672{ec230001-9b20-6262-0000-000000000000}5157-sshd 534500x80000000000000002150427Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:08.674{ec230001-9b20-6262-e057-0dc1c1550000}5156/usr/sbin/sshdroot 354300x80000000000000002150428Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:10.483{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39274-false10.0.1.12-8000- 354300x80000000000000002150429Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:16.249{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39276-false10.0.1.12-8000- 354300x80000000000000002150430Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:21.370{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39278-false10.0.1.12-8000- 354300x80000000000000002150431Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:27.255{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39280-false10.0.1.12-8000- 23542300x80000000000000002150432Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:30.978{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150433Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:32.336{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39282-false10.0.1.12-8000- 534500x80000000000000002150435Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:34.610{ec230001-9a62-6262-80c2-4a0f84550000}5137/bin/nanoubuntu 23542300x80000000000000002150434Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:34.610{ec230001-9a62-6262-80c2-4a0f84550000}5137ubuntu/bin/nano/home/ubuntu/./.soloshred.sh.swp--- 354300x80000000000000002150436Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:37.440{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39284-false10.0.1.12-8000- 154100x80000000000000002150438Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:37.990{ec230001-9b3d-6262-e0d7-72dbdc550000}5158/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150437Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:37.990{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-37394-false10.0.1.20-22- 534500x80000000000000002150439Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:38.649{ec230001-9b3d-6262-0000-000000000000}5159-sshd 534500x80000000000000002150440Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:38.650{ec230001-9b3d-6262-e0d7-72dbdc550000}5158/usr/sbin/sshdroot 154100x80000000000000002150441Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:41.090{ec230001-9b41-6262-d089-345893550000}5160/bin/cat-----cat sol/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150442Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:41.091{ec230001-9b41-6262-d089-345893550000}5160/bin/catubuntu 534500x80000000000000002150443Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.015{00000000-0000-0000-0000-000000000000}5161<unknown process>ubuntu 23542300x80000000000000002150445Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.016{ec230001-9a51-6262-08a4-887865550000}5122ubuntu/bin/bash/tmp/sh-thd.RIgtEN--- 534500x80000000000000002150444Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.016{ec230001-9b3d-6262-0000-000000000000}5162-ubuntu 354300x80000000000000002150446Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.299{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39286-false10.0.1.12-8000- 154100x80000000000000002150447Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.610{ec230001-9b43-6262-d039-a4f0f6550000}5163/bin/cat-----cat soloshred.sh/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150448Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:43.611{ec230001-9b43-6262-d039-a4f0f6550000}5163/bin/catubuntu 354300x80000000000000002150449Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:47.275{ec230001-60f3-6262-601c-3e8419560000}1354/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42272-false10.0.1.12-8089- 354300x80000000000000002150450Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.423{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39290-false10.0.1.12-8000- 154100x80000000000000002150451Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.865{ec230001-9b48-6262-7043-69efe1550000}5164/bin/rm-----rm -rf /etc/systemd/system/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150452Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.868{ec230001-9b48-6262-7043-69efe1550000}5164/bin/rmubuntu 154100x80000000000000002150453Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.870{ec230001-9b48-6262-50ef-678624560000}5165/usr/bin/shred-----shred -n 1 -x -z /usr/lib/systemd/system/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150454Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.871{ec230001-9b48-6262-50ef-678624560000}5165/usr/bin/shredubuntu 154100x80000000000000002150455Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.872{ec230001-9b48-6262-7093-0e114e560000}5166/bin/rm-----rm -rf /home --no-preserve-root rm -rf /etc/systemd/system/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 23542300x80000000000000002150464Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/prog--- 23542300x80000000000000002150463Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/soloshred.sh--- 23542300x80000000000000002150462Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.sudo_as_admin_successful--- 23542300x80000000000000002150461Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.bash_history--- 23542300x80000000000000002150460Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/test.txt--- 23542300x80000000000000002150459Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/orshred.sh--- 23542300x80000000000000002150458Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.ssh/authorized_keys--- 23542300x80000000000000002150457Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.cache/motd.legal-displayed--- 23542300x80000000000000002150456Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.875{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.bash_logout--- 23542300x80000000000000002150470Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.profile--- 23542300x80000000000000002150469Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/shadow_copy.txt--- 23542300x80000000000000002150468Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/prog.c--- 23542300x80000000000000002150467Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/hook_fopen.so--- 23542300x80000000000000002150466Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/run_hook.c--- 23542300x80000000000000002150465Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.876{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/hook_fopen.c--- 23542300x80000000000000002150473Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.877{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/passwd_copy.txt--- 23542300x80000000000000002150472Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.877{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/.bashrc--- 23542300x80000000000000002150471Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.877{ec230001-9b48-6262-7093-0e114e560000}5166ubuntu/bin/rm/home/ubuntu/run_hook--- 534500x80000000000000002150474Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.882{ec230001-9b48-6262-7093-0e114e560000}5166/bin/rmubuntu 154100x80000000000000002150475Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.884{ec230001-9b48-6262-50df-5cdb6e550000}5167/usr/bin/shred-----shred -n 1 -x -z /usr/lib/systemd/system/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150476Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.885{ec230001-9b48-6262-50df-5cdb6e550000}5167/usr/bin/shredubuntu 154100x80000000000000002150477Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.886{ec230001-9b48-6262-7043-8ce263550000}5168/bin/rm-----rm -rf /home --no-preserve-root/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150478Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.888{ec230001-9b48-6262-7043-8ce263550000}5168/bin/rmubuntu 154100x80000000000000002150479Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.889{ec230001-9b48-6262-50df-8eb5f1550000}5169/usr/bin/shred-----shred -n 1 -x -z /boot/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150480Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:48.892{ec230001-9b48-6262-50df-8eb5f1550000}5169/usr/bin/shredubuntu 354300x80000000000000002150481Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:53.476{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39292-false10.0.1.12-8000- 354300x80000000000000002150482Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:10:59.416{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39294-false10.0.1.12-8000- 23542300x80000000000000002150483Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:00.978{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150484Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:04.472{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39296-false10.0.1.12-8000- 154100x80000000000000002150486Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:06.919{ec230001-9b5a-6262-e007-2722de550000}5170/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150485Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:06.919{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-42458-false10.0.1.20-22- 534500x80000000000000002150487Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:07.609{ec230001-9b5a-6262-0000-000000000000}5171-sshd 534500x80000000000000002150488Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:07.610{ec230001-9b5a-6262-e007-2722de550000}5170/usr/sbin/sshdroot 154100x80000000000000002150489Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:08.972{ec230001-9b5c-6262-6804-d0aa02560000}5172/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/5163root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}964--- 534500x80000000000000002150490Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:08.983{ec230001-9b5c-6262-6804-d0aa02560000}5172/bin/psroot 354300x80000000000000002150491Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:10.320{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39298-false10.0.1.12-8000- 354300x80000000000000002150492Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:15.340{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39300-false10.0.1.12-8000- 354300x80000000000000002150493Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:20.354{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39302-false10.0.1.12-8000- 154100x80000000000000002150494Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:21.206{ec230001-9b69-6262-08d6-8c7b5b550000}5173/usr/bin/clear-----clear/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150495Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:21.207{ec230001-9b69-6262-08d6-8c7b5b550000}5173/usr/bin/clearubuntu 534500x80000000000000002150496Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:25.631{ec230001-9b6d-6262-0000-000000000000}5174-ubuntu 354300x80000000000000002150497Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:26.283{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39304-false10.0.1.12-8000- 534500x80000000000000002150498Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:26.712{00000000-0000-0000-0000-000000000000}5175<unknown process>ubuntu 23542300x80000000000000002150499Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:30.978{ec230001-60f3-6262-601c-3e8419560000}1354root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x80000000000000002150500Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:31.340{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39306-false10.0.1.12-8000- 154100x80000000000000002150501Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:32.265{ec230001-9b74-6262-e876-5ab3b6550000}5176/bin/ls-----ls --color=auto -l/home/ubuntuubuntu{ec230001-9a52-6262-e803-000002000000}10009no level-{ec230001-9a51-6262-08a4-887865550000}5122/bin/bash-bashubuntu 534500x80000000000000002150502Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:32.267{ec230001-9b74-6262-e876-5ab3b6550000}5176/bin/lsubuntu 154100x80000000000000002150504Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:35.984{ec230001-9b77-6262-e087-499200560000}5177/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec230001-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}979--- 354300x80000000000000002150503Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:35.984{ec230001-60f1-6262-e0c7-99217b550000}979/usr/sbin/sshdroottcpfalsefalse179.43.154.185-47544-false10.0.1.20-22- 354300x80000000000000002150505Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:36.428{ec230001-60fb-6262-d9ff-4d0400000000}1744/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39308-false10.0.1.12-8000- 534500x80000000000000002150506Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:36.661{ec230001-9b77-6262-0000-000000000000}5178-sshd 534500x80000000000000002150507Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-6628-2022-04-22 12:11:36.662{ec230001-9b77-6262-e087-499200560000}5177/usr/sbin/sshdroot