154100x80000000000000008939Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:13:31.947{E30FED86-A29B-6413-D11C-00000000C602}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356780Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xed4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000025599Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.4613918Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} 7300x8000000000000025598Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.460947Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} 7300x8000000000000025597Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.1760282Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} 154100x80000000000000008938Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:13:27.970{E30FED86-A297-6413-D01C-00000000C602}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356779Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xba4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008937Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:37.277{E30FED86-A265-6413-CF1C-00000000C602}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356778Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x106cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008936Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:36.668{E30FED86-A264-6413-CE1C-00000000C602}5368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356777Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x14f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008935Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:35.911{E30FED86-A263-6413-CD1C-00000000C602}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356776Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x17e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000356775Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x370C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008934Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:31.938{E30FED86-A25F-6413-CC1C-00000000C602}880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2032--- {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.4613918Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3904","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.460947Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"2980","Execution_ThreadID":"3428","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"2980","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:13:27.1760282Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:13:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2508","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.4214191Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:29Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2508","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.4203877Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:29Z"} 7300x8000000000000025596Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2508","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.4214191Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:29Z"} 7300x8000000000000025595Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"2508","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.4203877Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:29Z"} 7300x8000000000000025594Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3328","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.1628676Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:28Z"} 154100x80000000000000008933Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:27.955{E30FED86-A25B-6413-CB1C-00000000C602}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356774Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xc70C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"3184","Execution_ThreadID":"3328","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3184","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:12:27.1628676Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:28Z"} {"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3.attackrange.local","Correlation_ActivityID":"","EventID":"4688","EventRecordID":"356773","Execution_ProcessID":"4","Execution_ThreadID":"2988","Image":"C:\\Windows\\System32\\findstr.exe","Keywords":"0","Level":"0","MandatoryLabel":"S-1-16-8192","Match_Strings":"cpassword in CommandLine, \\sysvol\\ in CommandLine, .xml in CommandLine, \\findstr.exe in Image","Module":"Sigma","NewProcessId":"5580","Opcode":"0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ProcessId":"4732","Provider_Guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Provider_Name":"Microsoft-Windows-Security-Auditing","Rule_Author":"frack113","Rule_Description":"Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.","Rule_FalsePositives":"Unknown","Rule_Id":"91a2c315-9ee6-4052-a853-6f6a8238f90d","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml","Rule_Modified":"2023/03/06","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_findstr_gpp_passwords.yml","Rule_References":"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr","Rule_Sigtype":"public","Rule_Title":"Findstr GPP Passwords","Security_UserID":"","Source":"Security","SubjectDomainName":"ATTACKRANGE","SubjectLogonId":"0x15f2ff3","SubjectUserName":"LORIE_FITZGERALD","SubjectUserSid":"S-1-5-21-1396122829-4209268585-3157709287-1143","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","Task":"13312","TimeCreated_SystemTime":"2023-03-16T23:12:06.9680316Z","TokenElevationType":"%%1938","Version":"2","Winversion":"14393","aurora_eventid":1,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:12Z"} {"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3.attackrange.local","Correlation_ActivityID":"","EventID":"4688","EventRecordID":"356773","Execution_ProcessID":"4","Execution_ThreadID":"2988","Image":"C:\\Windows\\System32\\findstr.exe","Keywords":"0","Level":"0","MandatoryLabel":"S-1-16-8192","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","NewProcessId":"5580","Opcode":"0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ProcessId":"4732","Provider_Guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Provider_Name":"Microsoft-Windows-Security-Auditing","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","Security_UserID":"","Source":"Security","SubjectDomainName":"ATTACKRANGE","SubjectLogonId":"0x15f2ff3","SubjectUserName":"LORIE_FITZGERALD","SubjectUserSid":"S-1-5-21-1396122829-4209268585-3157709287-1143","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","Task":"13312","TimeCreated_SystemTime":"2023-03-16T23:12:06.9680316Z","TokenElevationType":"%%1938","Version":"2","Winversion":"14393","aurora_eventid":1,"level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:12Z"} 1300x8000000000000025593Applicationar-win-3.attackrange.local{"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3.attackrange.local","Correlation_ActivityID":"","EventID":"4688","EventRecordID":"356773","Execution_ProcessID":"4","Execution_ThreadID":"2988","Image":"C:\\Windows\\System32\\findstr.exe","Keywords":"0","Level":"0","MandatoryLabel":"S-1-16-8192","Match_Strings":"cpassword in CommandLine, \\sysvol\\ in CommandLine, .xml in CommandLine, \\findstr.exe in Image","Module":"Sigma","NewProcessId":"5580","Opcode":"0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ProcessId":"4732","Provider_Guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Provider_Name":"Microsoft-Windows-Security-Auditing","Rule_Author":"frack113","Rule_Description":"Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.","Rule_FalsePositives":"Unknown","Rule_Id":"91a2c315-9ee6-4052-a853-6f6a8238f90d","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml","Rule_Modified":"2023/03/06","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_findstr_gpp_passwords.yml","Rule_References":"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr","Rule_Sigtype":"public","Rule_Title":"Findstr GPP Passwords","Security_UserID":"","Source":"Security","SubjectDomainName":"ATTACKRANGE","SubjectLogonId":"0x15f2ff3","SubjectUserName":"LORIE_FITZGERALD","SubjectUserSid":"S-1-5-21-1396122829-4209268585-3157709287-1143","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","Task":"13312","TimeCreated_SystemTime":"2023-03-16T23:12:06.9680316Z","TokenElevationType":"%%1938","Version":"2","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:12Z"} 1400x8000000000000025592Applicationar-win-3.attackrange.local{"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3.attackrange.local","Correlation_ActivityID":"","EventID":"4688","EventRecordID":"356773","Execution_ProcessID":"4","Execution_ThreadID":"2988","Image":"C:\\Windows\\System32\\findstr.exe","Keywords":"0","Level":"0","MandatoryLabel":"S-1-16-8192","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","NewProcessId":"5580","Opcode":"0","ParentImage":"C:\\Windows\\System32\\cmd.exe","ProcessId":"4732","Provider_Guid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Provider_Name":"Microsoft-Windows-Security-Auditing","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","Security_UserID":"","Source":"Security","SubjectDomainName":"ATTACKRANGE","SubjectLogonId":"0x15f2ff3","SubjectUserName":"LORIE_FITZGERALD","SubjectUserSid":"S-1-5-21-1396122829-4209268585-3157709287-1143","TargetDomainName":"-","TargetLogonId":"0x0","TargetUserName":"-","TargetUserSid":"S-1-0-0","Task":"13312","TimeCreated_SystemTime":"2023-03-16T23:12:06.9680316Z","TokenElevationType":"%%1938","Version":"2","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:12Z"} {"ApplicationId":"","CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DirectoryTableBase":"0x11A700000","EventID":"1","Execution_ProcessID":"4732","Execution_ThreadID":"1080","ExitStatus":"259","Flags":"0","GrandparentCommandLine":"C:\\Windows\\Explorer.EXE","GrandparentImage":"C:\\Windows\\explorer.exe","GrandparentProcessId":"4808","ImageFileName":"findstr.exe","Keywords":"0x0","Level":"0","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","Opcode":"1","PackageFullName":"","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentId":"0x127C","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessId":"5580","Provider_Guid":"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}","Provider_Name":"SystemTraceProvider-Process","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","SessionId":"3","Task":"0","TimeCreated_SystemTime":"2023-03-16T23:12:06.1709505Z","UniqueProcessKey":"0xFFFF96054BB01080","User":"ATTACKRANGE\\LORIE_FITZGERALD","UserSID":"\\\\ATTACKRANGE\\LORIE_FITZGERALD","Version":"4","Winversion":"14393","aurora_eventid":1,"level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:09Z"} 1400x8000000000000025591Applicationar-win-3.attackrange.local{"ApplicationId":"","CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DirectoryTableBase":"0x11A700000","EventID":"1","Execution_ProcessID":"4732","Execution_ThreadID":"1080","ExitStatus":"259","Flags":"0","GrandparentCommandLine":"C:\\Windows\\Explorer.EXE","GrandparentImage":"C:\\Windows\\explorer.exe","GrandparentProcessId":"4808","ImageFileName":"findstr.exe","Keywords":"0x0","Level":"0","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","Opcode":"1","PackageFullName":"","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentId":"0x127C","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessId":"5580","Provider_Guid":"{3D6FA8D0-FE05-11D0-9DDA-00C04FD7BA7C}","Provider_Name":"SystemTraceProvider-Process","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","SessionId":"3","Task":"0","TimeCreated_SystemTime":"2023-03-16T23:12:06.1709505Z","UniqueProcessKey":"0xFFFF96054BB01080","User":"ATTACKRANGE\\LORIE_FITZGERALD","UserSID":"\\\\ATTACKRANGE\\LORIE_FITZGERALD","Version":"4","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:09Z"} 1400x8000000000000025590Applicationar-win-3.attackrange.local{"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CurrentDirectory":"C:\\Users\\LORIE_FITZGERALD\\","Description":"Find String (QGREP) Utility","EventID":"1","Execution_ProcessID":"1984","Execution_ThreadID":"2560","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Hashes":"MD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"Medium","Keywords":"0x8000000000000000","Level":"4","LogonGuid":"{e30fed86-4555-6413-f32f-5f0100000000}","LogonId":"0x15F2FF3","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","Opcode":"0","OriginalFileName":"FINDSTR.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"{e30fed86-9aa9-6413-161c-00000000c602}","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessGuid":"{e30fed86-a246-6413-ca1c-00000000c602}","ProcessId":"5580","Product":"Microsoft\u0000\ufffd Windows\u0000\ufffd Operating System","Provider_Guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Provider_Name":"Microsoft-Windows-Sysmon","RuleName":"-","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","Security_UserID":"S-1-5-18","Task":"1","TerminalSessionId":"3","TimeCreated_SystemTime":"2023-03-16T23:12:06.1722886Z","User":"ATTACKRANGE\\LORIE_FITZGERALD","UtcTime":"2023-03-16 23:12:06.967","Version":"5","Winversion":"14393","level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:07Z"} 1300x8000000000000025589Applicationar-win-3.attackrange.local{"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CurrentDirectory":"C:\\Users\\LORIE_FITZGERALD\\","Description":"Find String (QGREP) Utility","EventID":"1","Execution_ProcessID":"1984","Execution_ThreadID":"2560","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Hashes":"MD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"Medium","Keywords":"0x8000000000000000","Level":"4","LogonGuid":"{e30fed86-4555-6413-f32f-5f0100000000}","LogonId":"0x15F2FF3","Match_Strings":"cpassword in CommandLine, \\sysvol\\ in CommandLine, .xml in CommandLine, \\findstr.exe in Image, FINDSTR.EXE in OriginalFileName","Module":"Sigma","Opcode":"0","OriginalFileName":"FINDSTR.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"{e30fed86-9aa9-6413-161c-00000000c602}","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessGuid":"{e30fed86-a246-6413-ca1c-00000000c602}","ProcessId":"5580","Product":"Microsoft\u0000\ufffd Windows\u0000\ufffd Operating System","Provider_Guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Provider_Name":"Microsoft-Windows-Sysmon","RuleName":"-","Rule_Author":"frack113","Rule_Description":"Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.","Rule_FalsePositives":"Unknown","Rule_Id":"91a2c315-9ee6-4052-a853-6f6a8238f90d","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml","Rule_Modified":"2023/03/06","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_findstr_gpp_passwords.yml","Rule_References":"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr","Rule_Sigtype":"public","Rule_Title":"Findstr GPP Passwords","Security_UserID":"S-1-5-18","Task":"1","TerminalSessionId":"3","TimeCreated_SystemTime":"2023-03-16T23:12:06.1722886Z","User":"ATTACKRANGE\\LORIE_FITZGERALD","UtcTime":"2023-03-16 23:12:06.967","Version":"5","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:07Z"} 154100x80000000000000008932Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:12:06.967{E30FED86-A246-6413-CA1C-00000000C602}5580C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /s cpassword \\ar-win-dc.attackrange.local\sysvol\attackrange.local\Policies\*.xmlC:\Users\LORIE_FITZGERALD\ATTACKRANGE\LORIE_FITZGERALD{E30FED86-4555-6413-F32F-5F0100000000}0x15f2ff33MediumMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{E30FED86-9AA9-6413-161C-00000000C602}4732C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" ATTACKRANGE\LORIE_FITZGERALD 4688201331200x8020000000000000356773Securityar-win-3.attackrange.localATTACKRANGE\LORIE_FITZGERALDLORIE_FITZGERALDATTACKRANGE0x15f2ff30x15ccC:\Windows\System32\findstr.exe%%19380x127cfindstr /s cpassword \\ar-win-dc.attackrange.local\sysvol\attackrange.local\Policies\*.xmlNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level 154100x80000000000000008931Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:11:37.345{E30FED86-A229-6413-C91C-00000000C602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356772Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xea0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000356771Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x10dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008930Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:11:36.665{E30FED86-A228-6413-C81C-00000000C602}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356770Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xf80C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008929Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:11:35.907{E30FED86-A227-6413-C71C-00000000C602}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 154100x80000000000000008928Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:11:31.925{E30FED86-A223-6413-C61C-00000000C602}2680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356769Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xa78C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 7300x8000000000000025588Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4768","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.339644Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} 7300x8000000000000025587Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4768","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.3390156Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} 7300x8000000000000025586Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0AA30000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4864","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0AA30000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.1484715Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} 4688201331200x8020000000000000356768Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x79cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008927Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:11:27.941{E30FED86-A21F-6413-C51C-00000000C602}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356767Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x9acC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008926Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:10:37.443{E30FED86-A1ED-6413-C41C-00000000C602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 154100x80000000000000008925Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:10:36.709{E30FED86-A1EC-6413-C31C-00000000C602}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356766Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x13ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008924Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:10:35.910{E30FED86-A1EB-6413-C21C-00000000C602}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356765Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xba4C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008923Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:10:31.929{E30FED86-A1E7-6413-C11C-00000000C602}1168C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356764Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x490C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level {"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CurrentDirectory":"C:\\Users\\LORIE_FITZGERALD\\","Description":"Find String (QGREP) Utility","EventID":"1","Execution_ProcessID":"1984","Execution_ThreadID":"2560","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Hashes":"MD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"Medium","Keywords":"0x8000000000000000","Level":"4","LogonGuid":"{e30fed86-4555-6413-f32f-5f0100000000}","LogonId":"0x15F2FF3","Match_Strings":"\\sysvol\\ in CommandLine, \\Policies\\ in CommandLine","Module":"Sigma","Opcode":"0","OriginalFileName":"FINDSTR.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"{e30fed86-9aa9-6413-161c-00000000c602}","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessGuid":"{e30fed86-a246-6413-ca1c-00000000c602}","ProcessId":"5580","Product":"Microsoft\u0000\ufffd Windows\u0000\ufffd Operating System","Provider_Guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Provider_Name":"Microsoft-Windows-Sysmon","RuleName":"-","Rule_Author":"Markus Neis, Jonhnathan Ribeiro, oscd.community","Rule_Description":"Detects Access to Domain Group Policies stored in SYSVOL","Rule_FalsePositives":"Administrative activity","Rule_Id":"05f3c945-dcc8-4393-9f3d-af65077a8f86","Rule_Level":"medium","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml","Rule_Modified":"2022/01/07","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_susp_sysvol_access.yml","Rule_References":"https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100","Rule_Sigtype":"public","Rule_Title":"Suspicious SYSVOL Domain Group Policy Access","Security_UserID":"S-1-5-18","Task":"1","TerminalSessionId":"3","TimeCreated_SystemTime":"2023-03-16T23:12:06.1722886Z","User":"ATTACKRANGE\\LORIE_FITZGERALD","UtcTime":"2023-03-16 23:12:06.967","Version":"5","Winversion":"14393","aurora_eventid":1,"level":"notice","msg":"Sigma match found","time":"2023-03-16T23:12:07Z"} {"CommandLine":"findstr /s cpassword \\\\ar-win-dc.attackrange.local\\sysvol\\attackrange.local\\Policies\\*.xml","Company":"Microsoft Corporation","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","CurrentDirectory":"C:\\Users\\LORIE_FITZGERALD\\","Description":"Find String (QGREP) Utility","EventID":"1","Execution_ProcessID":"1984","Execution_ThreadID":"2560","FileVersion":"10.0.14393.0 (rs1_release.160715-1616)","Hashes":"MD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A","Image":"C:\\Windows\\System32\\findstr.exe","IntegrityLevel":"Medium","Keywords":"0x8000000000000000","Level":"4","LogonGuid":"{e30fed86-4555-6413-f32f-5f0100000000}","LogonId":"0x15F2FF3","Match_Strings":"cpassword in CommandLine, \\sysvol\\ in CommandLine, .xml in CommandLine, \\findstr.exe in Image, FINDSTR.EXE in OriginalFileName","Module":"Sigma","Opcode":"0","OriginalFileName":"FINDSTR.EXE","ParentCommandLine":"\"C:\\Windows\\system32\\cmd.exe\" ","ParentImage":"C:\\Windows\\System32\\cmd.exe","ParentProcessGuid":"{e30fed86-9aa9-6413-161c-00000000c602}","ParentProcessId":"4732","ParentUser":"ATTACKRANGE\\LORIE_FITZGERALD","ProcessGuid":"{e30fed86-a246-6413-ca1c-00000000c602}","ProcessId":"5580","Product":"Microsoft\u0000\ufffd Windows\u0000\ufffd Operating System","Provider_Guid":"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","Provider_Name":"Microsoft-Windows-Sysmon","RuleName":"-","Rule_Author":"frack113","Rule_Description":"Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.","Rule_FalsePositives":"Unknown","Rule_Id":"91a2c315-9ee6-4052-a853-6f6a8238f90d","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml","Rule_Modified":"2023/03/06","Rule_Path":"public\\windows\\process_creation\\proc_creation_win_findstr_gpp_passwords.yml","Rule_References":"https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr","Rule_Sigtype":"public","Rule_Title":"Findstr GPP Passwords","Security_UserID":"S-1-5-18","Task":"1","TerminalSessionId":"3","TimeCreated_SystemTime":"2023-03-16T23:12:06.1722886Z","User":"ATTACKRANGE\\LORIE_FITZGERALD","UtcTime":"2023-03-16 23:12:06.967","Version":"5","Winversion":"14393","aurora_eventid":1,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:12:07Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4768","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.339644Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4768","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.3390156Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0AA30000","EventID":"5","Execution_ProcessID":"1948","Execution_ThreadID":"4864","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0AA30000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1948","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:11:27.1484715Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:11:28Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"1652","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.4656499Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:29Z"} {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"1652","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.4649831Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:29Z"} 7300x8000000000000025585Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"1652","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.4656499Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:29Z"} 7300x8000000000000025584Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"1652","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.4649831Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:29Z"} 7300x8000000000000025583Applicationar-win-3.attackrange.local{"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"2372","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.1480832Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:28Z"} 4688201331200x8020000000000000356763Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008922Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:10:27.938{E30FED86-A1E3-6413-C01C-00000000C602}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356762Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008921Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:09:37.363{E30FED86-A1B1-6413-BF1C-00000000C602}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 154100x80000000000000008920Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:09:36.675{E30FED86-A1B0-6413-BE1C-00000000C602}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356761Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x14a4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008919Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:09:35.907{E30FED86-A1AF-6413-BD1C-00000000C602}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356760Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x94cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000356759Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008918Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:09:31.918{E30FED86-A1AB-6413-BC1C-00000000C602}5896C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe9.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=80601ED27CFBD56EB4D847556776A4BC,SHA256=9E48FEE0D29DC8867EAEA8BC23ECC2BF46C010FCB215F99122D1F87E1D7D60A1,IMPHASH=E99D29902E9E9D71E38EE092E4F626C7{00000000-0000-0000-0000-000000000000}2032--- {"CommandLine":"\"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe\"","Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0DD00000","EventID":"5","Execution_ProcessID":"1668","Execution_ThreadID":"2372","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0DD00000","ImageCheckSum":"311452","ImageLoaded":"\\Windows\\System32\\activeds.dll","ImageName":"\\Windows\\System32\\activeds.dll","ImageSize":"0x45000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\activeds.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"1668","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:10:27.1480832Z","TimeDateStamp":"1610059754","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:10:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"2644","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.479749Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"2644","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.4791506Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} {"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0AA30000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"4604","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0AA30000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.1516238Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","aurora_eventid":7,"level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} 7300x8000000000000025582Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0C7A0000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"2644","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0C7A0000","ImageCheckSum":"205048","ImageLoaded":"\\Windows\\System32\\dbgcore.dll","ImageName":"\\Windows\\System32\\dbgcore.dll","ImageSize":"0x29000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbgcore.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbgcore.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"9ca2bf31-0570-44d8-a543-534c47c33ed7","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbgcore_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGCORE.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.479749Z","TimeDateStamp":"1611809694","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} 7300x8000000000000025581Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF04B30000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"2644","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF04B30000","ImageCheckSum":"1575379","ImageLoaded":"\\Windows\\System32\\dbghelp.dll","ImageName":"\\Windows\\System32\\dbghelp.dll","ImageSize":"0x192000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\dbghelp.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)","Rule_Description":"Detects DLL sideloading of \"dbghelp.dll\"","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLL mentioned in this rule","Rule_Id":"6414b5cd-b19d-447e-bb5e-9f03940b5784","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_dbghelp_dll.yml","Rule_References":"https://hijacklibs.net/","Rule_Sigtype":"public","Rule_Title":"DLL Sideloading Of DBGHELP.DLL","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.4791506Z","TimeDateStamp":"1468635229","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} 7300x8000000000000025580Applicationar-win-3.attackrange.local{"Computer":"ar-win-3","Correlation_ActivityID":"{00000000-0000-0000-0000-000000000000}","DefaultBase":"0x7FFF0AA30000","EventID":"5","Execution_ProcessID":"3704","Execution_ThreadID":"4604","Image":"C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe","ImageBase":"0x7FFF0AA30000","ImageCheckSum":"59227","ImageLoaded":"\\Windows\\System32\\fltLib.dll","ImageName":"\\Windows\\System32\\fltLib.dll","ImageSize":"0xA000","Keywords":"0x8000000000000040","Level":"4","Match_Strings":"\\fltLib.dll in ImageLoaded","Module":"Sigma","Opcode":"0","ProcessId":"3704","Provider_Guid":"{22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}","Provider_Name":"Microsoft-Windows-Kernel-Process","Rule_Author":"Nasreddine Bencherchali (Nextron Systems)","Rule_Description":"Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)","Rule_FalsePositives":"Legitimate applications loading their own versions of the DLLs mentioned in this rule","Rule_Id":"4fc0deee-0057-4998-ab31-d24e46e0aba4","Rule_Level":"high","Rule_Link":"https://github.com/SigmaHQ/sigma/blob/0.22-2324-g82a32de5b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml","Rule_Modified":"2023/03/15","Rule_Path":"public\\windows\\image_load\\image_load_side_load_from_non_system_location.yml","Rule_References":"https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md","Rule_Sigtype":"public","Rule_Title":"Potential System DLL Sideloading From Non System Locations","Security_UserID":"S-1-5-18","Task":"5","TimeCreated_SystemTime":"2023-03-16T23:09:27.1516238Z","TimeDateStamp":"1468636063","Version":"0","Winversion":"14393","level":"warning","msg":"Sigma match found","time":"2023-03-16T23:09:28Z"} 154100x80000000000000008917Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:09:27.942{E30FED86-A1A7-6413-BB1C-00000000C602}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=37B46253848001FA2332AA649697BBB8,SHA256=DCD0C40579E2F66805D1D9BDA1E8626B0988DF29D85429E492756F02DAEF6AF4,IMPHASH=F63F438A21D8EB823E551166D2E72BD6{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356758Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xe78C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008916Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:08:37.379{E30FED86-A175-6413-BA1C-00000000C602}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe9.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6A4D276E993FB7EE14DED01CBEBDA71,SHA256=CD4DF32D3564EA53C1EE782BB5F55A0C0E9CAC30BAE49D51B041829AA96CA5A4,IMPHASH=9374AAB4494C2195A38F44F0D36C8B58{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356757Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xb94C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008915Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:08:36.662{E30FED86-A174-6413-B91C-00000000C602}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356756Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70xa4cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 154100x80000000000000008914Microsoft-Windows-Sysmon/Operationalar-win-3.attackrange.local-2023-03-16 23:08:35.914{E30FED86-A173-6413-B81C-00000000C602}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E30FED86-59B2-6412-E703-000000000000}0x3e70SystemMD5=B6E7745CB09028E7A3DA54C910ACBEB9,SHA256=F8DED57BEF961B925BDF3FC9D829FAD82BF436C49BB635AAE75564D70DABA75A,IMPHASH=6A5601498E7E7959885DB6B8832ECC0A{00000000-0000-0000-0000-000000000000}2032--- 4688201331200x8020000000000000356755Securityar-win-3.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-3$ATTACKRANGE0x3e70x1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7f0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level