03/15/2022 05:25:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848613 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e08 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:25:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848612 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e08 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848611 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848615 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x244c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:25:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848614 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848617 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53917 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848616 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53917 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848619 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53918 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848618 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53918 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774519 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xef8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774522 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xf4c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:25:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774521 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774520 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xef8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:25:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774525 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774524 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1748 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:25:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774523 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1748 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:25:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774526 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x18a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:25:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848624 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 57605 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848623 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 61611 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:25:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848622 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 52547 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:25:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848621 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49869 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848620 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 52246 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:25:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848626 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53919 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:24 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848625 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53919 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848628 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848627 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848630 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53920 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848629 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53920 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848631 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848633 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53921 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848632 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53921 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848635 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53922 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848634 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53922 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848637 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53923 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848636 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53923 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848641 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53924 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848640 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53924 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848639 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848638 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848642 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848644 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53925 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848643 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53925 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:25:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848646 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53926 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:25:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848645 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53926 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848677 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A4F63 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848676 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5057 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848675 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A50A0 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848674 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5128 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848673 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5128 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: attackrange.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD) 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848672 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5128 Network Information: Object Type: File Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848671 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Delegation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A5128 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2950D1A5-263C-BE83-70C4-1FCE70192D59} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848670 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5128 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848669 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848668 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53931 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848667 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: :: Source Port: 53931 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848666 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A50A0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2950D1A5-263C-BE83-70C4-1FCE70192D59} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.14 Source Port: 53930 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848665 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A50A0 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848664 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.14 Source Port: 53930 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848663 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53930 Destination Address: 10.0.1.14 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65789 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848662 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: 0.0.0.0 Source Port: 53930 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848661 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A5057 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2950D1A5-263C-BE83-70C4-1FCE70192D59} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 0 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848660 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5057 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848659 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A4F63 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2950D1A5-263C-BE83-70C4-1FCE70192D59} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 53929 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848658 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A4F63 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848657 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A4F48 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {2950D1A5-263C-BE83-70C4-1FCE70192D59} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 53928 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848656 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A4F48 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848655 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53929 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848654 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53929 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848653 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53928 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848652 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53928 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 49666 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848651 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 53929 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848650 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 53928 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848649 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 900 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53927 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848648 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53927 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:26:01 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848647 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Source Address: :: Source Port: 53927 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:26:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848679 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53932 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848678 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53932 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848681 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848680 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774527 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x140c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774530 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1184 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:26:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774529 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1184 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774528 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x140c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848686 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2644 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848685 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2b54 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848684 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53933 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848683 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53933 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848682 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b54 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774532 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x11fc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:26:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774531 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x11fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848688 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2848 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848687 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2644 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848697 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2b28 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848696 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b28 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848695 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A8FE1 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848694 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37A8FE1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53934 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848693 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A8FE1 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848692 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 53934 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848691 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 53934 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848690 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 53934 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:26:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848689 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2848 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:26:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848700 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1bf8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:26:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848699 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bf8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848698 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848703 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2734 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:26:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848702 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2734 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848701 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A5128 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:26:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848705 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e00 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:26:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848704 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e00 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848707 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53935 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848706 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53935 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774533 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848709 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53936 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848708 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53936 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774536 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x14fc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:26:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774535 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x14fc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774534 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x19b0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:26:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774539 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774538 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ad8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:26:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774537 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ad8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:26:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774540 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x13f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:26:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848711 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53937 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848710 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53937 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848713 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848712 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848716 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53938 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848715 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53938 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848714 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848718 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53939 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848717 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53939 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848720 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53940 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848719 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53940 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848722 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53941 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848721 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53941 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848724 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848723 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848726 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53942 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:49 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848725 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53942 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:26:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848727 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:54 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848729 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53943 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:26:54 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848728 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53943 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848731 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53944 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:00 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848730 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53944 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848737 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.0.1.14 Source Port: 138 Destination Address: 10.0.1.255 Destination Port: 138 Protocol: 17 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848736 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 138 Destination Address: 10.0.1.255 Destination Port: 138 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848735 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848734 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848733 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53945 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848732 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53945 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774541 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x808 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848739 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b04 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:27:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848738 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b04 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774544 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16a4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:27:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774543 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774542 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x808 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:27:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848741 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x29ac Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:27:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848740 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29ac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774546 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xf7c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:27:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774545 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xf7c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848745 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x276c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848744 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 504 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 123 Destination Address: 168.61.215.74 Destination Port: 123 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848743 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2390 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:27:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848742 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2390 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848753 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x20ac New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848752 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37BF290 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848751 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37BF290 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53946 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848750 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37BF290 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848749 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 53946 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848748 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 53946 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848747 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 53946 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848746 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x276c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:27:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848757 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1e50 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:27:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848756 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e50 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848755 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848754 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x20ac Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:27:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848761 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b6c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:27:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848760 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b6c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848759 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53947 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848758 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53947 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848778 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37C319F Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848777 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37C319F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 53951 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848776 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37C319F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848775 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53951 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848774 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53951 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848773 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 53951 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848772 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37C3133 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848771 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37C3133 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: fe80::b574:557a:2d92:ce61 Source Port: 53950 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848770 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37C3133 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848769 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53950 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848768 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53950 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848767 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 53950 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848766 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 900 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53949 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848765 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Direction: Outbound Source Address: fe80::b574:557a:2d92:ce61 Source Port: 53949 Destination Address: fe80::b574:557a:2d92:ce61 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848764 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1160 Application Name: \device\harddiskvolume1\windows\system32\dfsrs.exe Network Information: Source Address: :: Source Port: 53949 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848763 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53948 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:18 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848762 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53948 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774547 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x4b0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774550 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1900 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:27:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774549 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1900 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774548 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x4b0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:27:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774553 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1854 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774552 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x19d4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:27:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774551 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19d4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:27:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774554 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1854 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:27:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848780 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53952 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:23 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848779 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53952 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848782 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848781 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848784 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53953 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:29 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848783 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53953 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848785 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848788 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53954 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848787 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53954 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848786 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37A4F48 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:27:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848790 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53955 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848789 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53955 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848792 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53956 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848791 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53956 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848807 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6100 Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53957 Destination Address: 142.251.33.106 Destination Port: 443 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848806 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6100 Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe Network Information: Source Address: 0.0.0.0 Source Port: 53957 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848805 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 60081 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848804 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 60081 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848803 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 60081 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848802 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 60081 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848801 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 55944 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848800 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 55944 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848799 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 55944 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848798 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 55944 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848797 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49440 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848796 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 52816 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848795 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 52816 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848794 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 52816 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:27:43 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848793 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 52816 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848811 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53958 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848810 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53958 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848809 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848808 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848814 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53959 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848813 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53959 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:27:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848812 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848816 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53960 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:27:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848815 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53960 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848818 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53961 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:02 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848817 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53961 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848822 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 58011 Destination Address: 10.0.0.2 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848821 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 57241 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:28:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848820 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 58979 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:28:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848819 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2320 Application Name: \device\harddiskvolume1\windows\system32\dns.exe Network Information: Direction: Inbound Source Address: 10.0.1.15 Source Port: 58495 Destination Address: 10.0.1.14 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:28:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848824 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848823 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774555 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16c4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848826 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2344 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:28:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848825 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2344 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774558 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16f0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:28:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774557 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x16f0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774556 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x16c4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848830 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x36c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848829 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53962 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848828 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53962 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848827 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x36c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774560 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1f8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:28:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774559 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1f8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848833 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1d8c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848832 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x244c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:28:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848831 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x244c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848842 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x438 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848841 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x438 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848840 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37D7576 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848839 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37D7576 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53963 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848838 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37D7576 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848837 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 53963 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848836 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 53963 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848835 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 53963 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:28:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848834 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1d8c Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:28:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848845 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x29f8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:28:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848844 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29f8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848843 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848847 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2ac8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:28:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848846 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ac8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848849 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53964 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848848 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53964 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848851 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53965 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848850 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53965 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774561 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xb64 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774564 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc50 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:28:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774563 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc50 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774562 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xb64 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:28:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774567 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xc18 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774566 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xbbc Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:28:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774565 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0xbbc New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:28:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774568 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0xc18 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:28:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848853 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53966 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848852 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53966 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848855 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848854 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848857 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53967 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848856 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53967 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848858 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848860 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53968 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848859 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53968 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848862 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53969 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:35 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848861 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53969 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848864 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53970 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848863 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53970 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848868 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53971 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848867 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53971 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848866 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848865 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848869 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848871 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53972 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848870 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53972 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:28:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848873 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53973 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:28:58 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848872 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53973 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848875 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53974 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848874 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53974 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848877 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848876 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774569 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bf4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848879 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ab4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:29:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848878 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ab4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774572 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x238 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:29:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774571 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774570 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1bf4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:29:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848881 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x22d0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:29:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848880 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x22d0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774574 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1bb8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:29:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774573 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1bb8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848885 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2be0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:29:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848884 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2be0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848883 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53975 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:09 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848882 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53975 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4634 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logoff OpCode=Info RecordNumber=1849848893 Keywords=Audit Success Message=An account was logged off. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37ED7D3 Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848892 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37ED7D3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {1EA7D791-794D-EAC3-C48F-289A97B411E2} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: ::1 Source Port: 53976 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848891 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0xF37ED7D3 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848890 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: ::1 Source Port: 53976 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65786 Layer Name: Receive/Accept Layer Run-Time ID: 46 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848889 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 53976 Destination Address: ::1 Destination Port: 389 Protocol: 6 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848888 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2892 Application Name: \device\harddiskvolume1\windows\adws\microsoft.activedirectory.webservices.exe Network Information: Source Address: :: Source Port: 53976 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848887 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1918 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:29:10 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848886 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1918 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848897 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2790 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848896 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x10a4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:29:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848895 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:11 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848894 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x10a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848899 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1be0 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x149c Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:12 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848898 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x2790 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:29:13 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848900 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1be0 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:29:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848902 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53977 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:14 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848901 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53977 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:19 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774575 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x13a8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848909 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 6100 Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53979 Destination Address: 34.117.237.239 Destination Port: 443 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848908 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 6100 Application Name: \device\harddiskvolume1\program files\mozilla firefox\firefox.exe Network Information: Source Address: 0.0.0.0 Source Port: 53979 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848907 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: ::1 Source Port: 52816 Destination Address: ::1 Destination Port: 53 Protocol: 17 Filter Information: Filter Run-Time ID: 65788 Layer Name: Connect Layer Run-Time ID: 50 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848906 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 52816 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 38 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848905 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 1092 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Source Address: :: Source Port: 52816 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848904 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53978 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848903 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53978 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774578 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x290 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774577 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x290 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:20 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774576 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x13a8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe Exit Status: 0x1 03/15/2022 05:29:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774581 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1828 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774580 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1288 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Exit Status: 0x1 03/15/2022 05:29:21 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774579 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1288 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:22 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774582 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1828 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe Exit Status: 0x1 03/15/2022 05:29:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848911 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53980 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:25 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848910 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53980 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848913 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:26 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848912 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848915 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53981 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:30 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848914 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53981 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:31 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848916 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848918 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53982 Destination Address: 10.0.1.12 Destination Port: 8089 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:33 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848917 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 5276 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53982 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848920 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53983 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:36 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848919 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53983 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848943 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BD5A751-2365-45F3-663F-98F0EA5A9935} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.16 Source Port: 49386 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848942 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=1849848941 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: fakeuser@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1B411C86-0C68-4A0E-ED5F-C19E52A11DC6} Service Information: Service Name: WIN-DC-128$ Service ID: ATTACKRANGE\WIN-DC-128$ Network Information: Client Address: ::ffff:10.0.1.16 Client Port: 44978 Additional Information: Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848940 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 44978 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848939 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F7546 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BD5A751-2365-45F3-663F-98F0EA5A9935} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.16 Source Port: 49386 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848938 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F7546 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=1849848937 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: fakeuser@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1B411C86-0C68-4A0E-ED5F-C19E52A11DC6} Service Information: Service Name: WIN-DC-128$ Service ID: ATTACKRANGE\WIN-DC-128$ Network Information: Client Address: ::ffff:10.0.1.16 Client Port: 44976 Additional Information: Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848936 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 44976 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848935 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F752F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BD5A751-2365-45F3-663F-98F0EA5A9935} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.16 Source Port: 49386 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848934 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F752F Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=1849848933 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: fakeuser@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1B411C86-0C68-4A0E-ED5F-C19E52A11DC6} Service Information: Service Name: WIN-DC-128$ Service ID: ATTACKRANGE\WIN-DC-128$ Network Information: Client Address: ::ffff:10.0.1.16 Client Port: 44974 Additional Information: Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848932 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 44974 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848931 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 1264 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 49386 Destination Address: 10.0.1.14 Destination Port: 49668 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848930 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74EA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BD5A751-2365-45F3-663F-98F0EA5A9935} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.16 Source Port: 42162 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848929 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74EA Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=1849848928 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: fakeuser@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1B411C86-0C68-4A0E-ED5F-C19E52A11DC6} Service Information: Service Name: WIN-DC-128$ Service ID: ATTACKRANGE\WIN-DC-128$ Network Information: Client Address: ::ffff:10.0.1.16 Client Port: 44970 Additional Information: Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848927 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 44970 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848926 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 900 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 42162 Destination Address: 10.0.1.14 Destination Port: 135 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4624 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Logon OpCode=Info RecordNumber=1849848925 Keywords=Audit Success Message=An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {7BD5A751-2365-45F3-663F-98F0EA5A9935} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 10.0.1.16 Source Port: 55408 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4672 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Special Logon OpCode=Info RecordNumber=1849848924 Keywords=Audit Success Message=Special privileges assigned to new logon. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4769 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Kerberos Service Ticket Operations OpCode=Info RecordNumber=1849848923 Keywords=Audit Success Message=A Kerberos service ticket was requested. Account Information: Account Name: fakeuser@ATTACKRANGE.LOCAL Account Domain: ATTACKRANGE.LOCAL Logon GUID: {1B411C86-0C68-4A0E-ED5F-C19E52A11DC6} Service Information: Service Name: WIN-DC-128$ Service ID: ATTACKRANGE\WIN-DC-128$ Network Information: Client Address: ::ffff:10.0.1.16 Client Port: 44966 Additional Information: Ticket Options: 0x40810010 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848922 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 636 Application Name: \device\harddiskvolume1\windows\system32\lsass.exe Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 44966 Destination Address: 10.0.1.14 Destination Port: 88 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:37 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848921 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 10.0.1.16 Source Port: 55408 Destination Address: 10.0.1.14 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 66884 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848982 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x10080 Accesses: DELETE ReadAttributes Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848981 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848980 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848979 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x2960 Process Name: C:\Windows\System32\conhost.exe Exit Status: 0x0 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848978 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848977 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x2bcc Process Name: C:\Windows\System32\cmd.exe Exit Status: 0x0 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848976 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x2 Accesses: WriteData (or AddFile) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848975 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x120196 Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848974 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848973 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848972 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848971 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848970 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848969 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4674 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Sensitive Privilege Use OpCode=Info RecordNumber=1849848968 Keywords=Audit Success Message=An operation was attempted on a privileged object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Object: Object Server: Security Object Type: File Object Name: \Device\ConDrv Object Handle: 0x4 Process Information: Process ID: 0x2960 Process Name: C:\Windows\System32\cmd.exe Requested Operation: Desired Access: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA Execute/Traverse DeleteChild ReadAttributes WriteAttributes Privileges: SeTakeOwnershipPrivilege 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848967 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2960 New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2bcc Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848966 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: NULL SID Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: New Process ID: 0x2bcc New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x191c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c cd 1> \\127.0.0.1\ADMIN$\__1647365390.2209284 2>&1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848965 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x10080 Accesses: DELETE ReadAttributes Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848964 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848963 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848962 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x19bc Process Name: C:\Windows\System32\conhost.exe Exit Status: 0x0 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848961 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x2b98 Process Name: C:\Windows\System32\cmd.exe Exit Status: 0x0 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848960 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848959 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x2 Accesses: WriteData (or AddFile) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848958 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x120196 Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848957 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848956 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848955 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 127.0.0.1 Source Port: 53984 Destination Address: 127.0.0.1 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65787 Layer Name: Receive/Accept Layer Run-Time ID: 44 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848954 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Outbound Source Address: 127.0.0.1 Source Port: 53984 Destination Address: 127.0.0.1 Destination Port: 445 Protocol: 6 Filter Information: Filter Run-Time ID: 65789 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849848953 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 4 Application Name: System Network Information: Source Address: 0.0.0.0 Source Port: 53984 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848952 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848951 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848950 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848949 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848948 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4674 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Sensitive Privilege Use OpCode=Info RecordNumber=1849848947 Keywords=Audit Success Message=An operation was attempted on a privileged object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Object: Object Server: Security Object Type: File Object Name: \Device\ConDrv Object Handle: 0x4 Process Information: Process ID: 0x19bc Process Name: C:\Windows\System32\cmd.exe Requested Operation: Desired Access: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA Execute/Traverse DeleteChild ReadAttributes WriteAttributes Privileges: SeTakeOwnershipPrivilege 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848946 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x19bc New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x2b98 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848945 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: NULL SID Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: New Process ID: 0x2b98 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x191c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1647365390.2209284 2>&1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:38 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848944 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Process Information: New Process ID: 0x191c New Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x34c Creator Process Name: C:\Windows\System32\svchost.exe Process Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849849000 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x2ba0 Process Name: C:\Windows\System32\conhost.exe Exit Status: 0x0 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848999 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x12d4 Process Name: C:\Windows\System32\cmd.exe Exit Status: 0x0 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=1849848998 Keywords=Audit Success Message=A process has exited. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: Process ID: 0x2194 Process Name: C:\Windows\System32\whoami.exe Exit Status: 0x0 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848997 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848996 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848995 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848994 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2194 New Process Name: C:\Windows\System32\whoami.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x12d4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: whoami Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848993 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x2 Accesses: WriteData (or AddFile) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848992 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Network Information: Object Type: File Source Address: 127.0.0.1 Source Port: 53984 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x120196 Accesses: READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848991 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848990 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848989 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848988 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849848987 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849848986 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4674 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Sensitive Privilege Use OpCode=Info RecordNumber=1849848985 Keywords=Audit Success Message=An operation was attempted on a privileged object. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Object: Object Server: Security Object Type: File Object Name: \Device\ConDrv Object Handle: 0x4 Process Information: Process ID: 0x2ba0 Process Name: C:\Windows\System32\cmd.exe Requested Operation: Desired Access: DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA Execute/Traverse DeleteChild ReadAttributes WriteAttributes Privileges: SeTakeOwnershipPrivilege 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848984 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2ba0 New Process Name: C:\Windows\System32\conhost.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x12d4 Creator Process Name: C:\Windows\System32\cmd.exe Process Command Line: \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:40 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=1849848983 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\NETWORK SERVICE Account Name: WIN-DC-128$ Account Domain: ATTACKRANGE Logon ID: 0x3E4 Target Subject: Security ID: NULL SID Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F755B Process Information: New Process ID: 0x12d4 New Process Name: C:\Windows\System32\cmd.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\High Mandatory Level Creator Process ID: 0x191c Creator Process Name: C:\Windows\System32\wbem\WmiPrvSE.exe Process Command Line: cmd.exe /Q /c whoami 1> \\127.0.0.1\ADMIN$\__1647365390.2209284 2>&1 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849849006 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x10080 Accesses: DELETE ReadAttributes Access Check Results: - 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849849005 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5145 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Detailed File Share OpCode=Info RecordNumber=1849849004 Keywords=Audit Success Message=A network share object was checked to see whether client can be granted desired access. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Relative Target Name: __1647365390.2209284 Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) Access Check Results: - 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5140 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=File Share OpCode=Info RecordNumber=1849849003 Keywords=Audit Success Message=A network share object was accessed. Subject: Security ID: ATTACKRANGE\Administrator Account Name: fakeuser Account Domain: ATTACKRANGE.LOCAL Logon ID: 0xF37F74D9 Network Information: Object Type: File Source Address: 10.0.1.16 Source Port: 55408 Share Information: Share Name: \\*\ADMIN$ Share Path: \??\C:\Windows Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory) 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849002 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53985 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:41 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849001 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53985 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849008 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:46 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849007 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849010 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53986 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:47 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849009 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53986 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:51 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849011 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849013 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53987 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:52 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849012 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53987 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:29:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849015 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53988 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:29:57 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849014 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53988 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:30:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849017 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 53989 Destination Address: 10.0.1.12 Destination Port: 8000 Protocol: 6 Filter Information: Filter Run-Time ID: 68192 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:30:03 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5158 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849016 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a bind to a local port. Application Information: Process ID: 2524 Application Name: \device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe Network Information: Source Address: 0.0.0.0 Source Port: 53989 Protocol: 6 Filter Information: Filter Run-Time ID: 0 Layer Name: Resource Assignment Layer Run-Time ID: 36 03/15/2022 05:30:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849019 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:30:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=5156 EventType=0 Type=Information ComputerName=win-dc-128.attackrange.local TaskCategory=Filtering Platform Connection OpCode=Info RecordNumber=1849849018 Keywords=Audit Success Message=The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 2556 Application Name: \device\harddiskvolume1\users\public\splunkd.exe Network Information: Direction: Outbound Source Address: 10.0.1.14 Source Port: 49679 Destination Address: 10.0.1.12 Destination Port: 7010 Protocol: 6 Filter Information: Filter Run-Time ID: 68196 Layer Name: Connect Layer Run-Time ID: 48 03/15/2022 05:30:06 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774583 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1b64 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:30:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774586 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1ad8 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Exit Status: 0x1 03/15/2022 05:30:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774585 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1ad8 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. 03/15/2022 05:30:07 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774584 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x1b64 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe Exit Status: 0x1 03/15/2022 05:30:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4689 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Termination OpCode=Info RecordNumber=5774588 Keywords=Audit Success Message=A process has exited. Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Process Information: Process ID: 0x18a4 Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Exit Status: 0x1 03/15/2022 05:30:08 PM LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4688 EventType=0 Type=Information ComputerName=win-host-987.attackrange.local TaskCategory=Process Creation OpCode=Info RecordNumber=5774587 Keywords=Audit Success Message=A new process has been created. Creator Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: WIN-HOST-987$ Account Domain: ATTACKRANGE Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18a4 New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x6c4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe" Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.