03/10/2022 03:46:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309223 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309228 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1618 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309227 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2ba8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:46:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309226 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57083 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309225 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57083 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:46:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309224 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ba8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309230 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1c98 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309229 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1618 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:46:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309233 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xb44 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:46:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309232 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb44 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309231 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1c98 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:46:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309235 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1cc4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:46:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309234 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cc4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309237 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2914 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:46:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309236 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2914 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309241 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1cb4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:46:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309240 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1cb4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309239 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57084 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309238 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57084 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:46:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309243 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57085 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309242 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57085 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309245 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309244 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670907 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1914 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670906 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Process Information: Process ID: 0x348 Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Exit Status: 0x0 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670905 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x604 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:46:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670904 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x604 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670910 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1a5c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:46:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670909 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a5c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670908 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1914 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309251 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB4FE94F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309250 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB4FE94F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 57086 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309249 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB4FE94F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309248 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 57086 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309247 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 57086 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:46:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309246 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 57086 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:46:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309253 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57087 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309252 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57087 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:46:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309254 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670914 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x18d0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:46:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670913 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18d0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670912 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1aa0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:46:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670911 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1aa0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670916 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ae0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:46:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670915 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ae0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670918 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x750 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:46:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670917 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x750 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:46:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309256 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57088 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309255 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57088 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:46:54 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309258 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57089 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:46:54 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309257 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57089 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309262 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309261 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309260 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57090 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309259 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57090 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309263 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309265 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57091 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309264 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57091 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309267 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57092 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309266 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57092 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:17 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309269 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57093 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:17 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309268 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57093 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309271 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309270 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309273 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57094 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309272 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57094 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309275 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57095 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309274 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57095 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309276 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309280 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x25c8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:47:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309279 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25c8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309278 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57096 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309277 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57096 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309282 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2100 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:47:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309281 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2100 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309284 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xde4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:47:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309283 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xde4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309287 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ad0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309286 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2afc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:47:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309285 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2afc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309289 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x25ec New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309288 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2ad0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:47:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309291 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14e0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309290 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x25ec Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309317 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511105 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309316 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511280 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309315 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511235 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849309314 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511349 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849309313 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511349 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849309312 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511349 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309311 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511349 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309310 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511349 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309309 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309308 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57100 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309307 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 57100 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309306 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511280 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D1606E6-387E-E6D6-385C-D4AF014B068A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 57099 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309305 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511280 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309304 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.14 Source Port: 57099 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309303 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57099 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65789 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309302 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 57099 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309301 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511235 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D1606E6-387E-E6D6-385C-D4AF014B068A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309300 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511235 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309299 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511105 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2D1606E6-387E-E6D6-385C-D4AF014B068A} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 57098 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309298 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511105 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309297 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57098 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309296 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57098 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309295 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 57098 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309294 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14e0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309293 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57097 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309292 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57097 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309332 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511BD8 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309331 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511BD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 57103 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309330 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511BD8 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309329 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57103 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309328 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57103 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309327 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 57103 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309326 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511B6C Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309325 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB511B6C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 57102 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309324 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511B6C Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309323 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57102 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309322 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57102 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309321 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 57102 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309320 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 900 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57101 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309319 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57101 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309318 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 57101 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309333 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 51368 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309338 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309337 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309336 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57104 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309335 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57104 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670921 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670920 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x498 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:47:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670919 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x498 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670924 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x140c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:47:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670923 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x140c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670922 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x15bc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309344 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB513F53 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309343 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB513F53 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 57105 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309342 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB513F53 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309341 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 57105 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309340 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 57105 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:47:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309339 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 57105 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:47:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309348 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309347 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB511349 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:47:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309346 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57106 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309345 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57106 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670925 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a44 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670930 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xfd8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:47:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670929 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xfd8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670928 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x188c Process Name: C:\Windows\servicing\TrustedInstaller.exe Exit Status: 0x0 03/10/2022 03:47:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670927 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x18b4 Process Name: C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe Exit Status: 0x0 03/10/2022 03:47:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670926 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1a44 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:47:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670934 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1a8c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:47:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670933 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a8c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670932 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1a68 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:47:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670931 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1a68 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:47:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309350 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57107 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309349 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57107 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:47:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309352 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57108 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:47:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309351 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57108 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309354 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309353 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309356 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57109 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309355 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57109 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309357 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309359 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57110 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309358 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57110 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309361 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57111 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309360 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57111 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309363 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57112 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309362 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57112 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309365 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309364 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309367 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57113 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309366 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57113 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309369 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57114 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309368 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57114 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309370 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:27 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309371 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e28 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309374 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x7dc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:48:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309373 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x7dc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309372 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e28 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309382 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2ae4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849309381 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57116 Share Information: Share Name: \\*\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309380 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57116 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309379 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 57116 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309378 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 57116 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309377 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ae4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309376 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57115 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309375 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57115 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309384 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2848 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:48:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309383 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2848 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309386 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x24d0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:48:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309385 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24d0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309388 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1310 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:48:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309387 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1310 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309390 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1170 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:48:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309389 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1170 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309392 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57117 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309391 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57117 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309396 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309395 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309394 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57118 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309393 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57118 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670937 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1428 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670936 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x199c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:48:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670935 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x199c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670940 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17e4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:48:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670939 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670938 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1428 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309402 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB5289AD Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309401 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB5289AD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 57119 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309400 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB5289AD Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309399 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 57119 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309398 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 57119 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:48:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309397 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 57119 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:48:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309403 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670941 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x15b8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309405 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57120 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309404 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57120 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670944 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xf54 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:48:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670943 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf54 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670942 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x15b8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:48:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670947 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1950 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670946 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x100c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:48:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670945 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x100c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:48:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670948 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1950 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:48:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309407 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57121 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309406 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57121 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:48:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309409 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57122 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:48:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309408 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57122 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309411 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309410 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309413 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57123 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309412 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57123 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309414 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309416 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57124 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309415 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57124 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309418 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57125 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309417 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57125 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309420 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57126 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309419 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57126 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309422 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309421 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309424 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57127 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309423 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57127 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309427 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309426 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57128 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309425 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57128 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309429 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x297c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:49:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309428 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x297c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309433 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1fb0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:49:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309432 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1fb0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309431 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57129 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309430 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57129 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309436 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b60 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309435 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2aa4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:49:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309434 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2aa4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309439 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x253c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:49:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309438 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x253c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309437 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b60 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:49:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309441 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e20 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:49:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309440 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e20 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309448 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x26c0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309447 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 50098 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309446 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 57256 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309445 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x26c0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309444 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 49687 Destination Address: 10.0.1.14 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309443 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 49558 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309442 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 60221 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849309454 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\WIN-HOST-987$ Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0xCB53B65A Network Information: Object Type: File Source Address: 10.0.1.15 Source Port: 50062 Share Information: Share Name: \\*\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309453 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: ATTACKRANGE\WIN-HOST-987$ Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB53B65A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {A5D4C314-EDB5-49AC-6CEF-C2E95F9ACD13} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.15 Source Port: 50062 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309452 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 50062 Destination Address: 10.0.1.14 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309451 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 56561 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309450 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57130 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309449 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57130 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309456 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309455 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670951 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670950 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x182c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:49:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670949 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x182c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309458 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57131 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309457 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57131 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670954 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1938 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:49:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670953 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1938 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670952 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309464 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB53D893 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309463 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB53D893 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 57132 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309462 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB53D893 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309461 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 57132 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309460 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 57132 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:49:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309459 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 57132 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:49:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309465 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670955 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309466 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: ATTACKRANGE\WIN-HOST-987$ Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0xCB53B65A Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:49:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670958 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1974 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:49:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670957 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1974 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670956 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x20c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:49:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309468 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57133 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309467 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57133 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670961 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x17e4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670960 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xdc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:49:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670959 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xdc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:49:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670962 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x17e4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:49:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309470 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57134 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:53 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309469 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57134 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:49:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309472 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57135 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:49:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309471 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57135 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309474 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309473 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309476 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57136 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309475 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57136 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309477 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309479 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57137 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309478 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57137 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309481 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57138 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309480 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57138 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309483 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57139 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309482 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57139 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309485 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309484 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309487 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57140 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309486 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57140 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309489 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57141 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309488 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57141 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309490 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:28 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309491 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ad4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309494 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2904 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:50:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309493 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2904 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309492 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2ad4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:50:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309498 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x196c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:50:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309497 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x196c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309496 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57142 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309495 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57142 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309500 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x24cc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:50:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309499 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x24cc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309502 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2530 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:50:32 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309501 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2530 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309505 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x878 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309504 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1568 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:50:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849309503 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1568 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:34 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849309506 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x878 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:50:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309508 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57143 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309507 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57143 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309510 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309509 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670965 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1720 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670964 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b5c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/10/2022 03:50:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670963 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b5c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309512 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57144 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309511 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57144 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670968 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1680 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/10/2022 03:50:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670967 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1680 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670966 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1720 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849309518 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB552CEE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849309517 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xCB552CEE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {99614E60-D8C3-BAA9-78F3-5E258E69CD9F} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 57145 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849309516 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xCB552CEE Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309515 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 57145 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309514 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 57145 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/10/2022 03:50:42 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309513 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 57145 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/10/2022 03:50:45 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309519 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309521 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57146 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309520 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57146 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670972 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x3bc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670971 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x3bc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670970 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1bec Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/10/2022 03:50:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670969 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bec New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670974 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11a0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/10/2022 03:50:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670973 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11a0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670976 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x192c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/10/2022 03:50:48 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670975 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x192c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309523 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57147 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309522 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57147 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309525 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57148 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:50:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309524 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57148 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:50:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5670977 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\REED_SCHMIDT Account Name: reed_schmidt Account Domain: ATTACKRANGE Logon ID: 0x50033 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1028 New Process Name: C:\Tools\Rubeus.exe Token Elevation Type: %%1938 Mandatory Label: Mandatory Label\Medium Mandatory Level Creator Process ID: 0x160c Creator Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Command Line: "C:\Tools\Rubeus.exe" asktgt /domain:attackrange.local /user:CRISTINA_POPE /rc4:8d3faa872d894d2a7ce9db3f7e97c94d /ptt Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/10/2022 03:50:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4768 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Authentication Service OpCode=Info RecordNumber=1849309528 Keywords=Audit Success Message=A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: CRISTINA_POPE Supplied Realm Name: attackrange.local User ID: ATTACKRANGE\CRISTINA_POPE Service Information: Service Name: krbtgt Service ID: ATTACKRANGE\krbtgt Network Information: Client Address: ::ffff:10.0.1.15 Client Port: 50081 Additional Information: Ticket Options: 0x40800010 Result Code: 0x0 Ticket Encryption Type: 0x17 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 03/10/2022 03:50:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309527 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 50081 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:50:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309526 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 56562 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/10/2022 03:50:59 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5670978 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\REED_SCHMIDT Account Name: reed_schmidt Account Domain: ATTACKRANGE Logon ID: 0x50033 Process Information: Process ID: 0x1028 Process Name: C:\Tools\Rubeus.exe Exit Status: 0x0 03/10/2022 03:51:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309530 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309529 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309532 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57149 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309531 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57149 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:51:05 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309533 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309535 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57150 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309534 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57150 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/10/2022 03:51:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309537 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57151 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/10/2022 03:51:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849309536 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 57151 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36