354300x8000000000000000313031Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:25:47.995{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-36366-false10.0.1.12-8089- 23542300x8000000000000000313032Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:25:50.165{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313033Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:25:51.595{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47324-false10.0.1.12-8000- 354300x8000000000000000313034Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:25:56.642{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47338-false10.0.1.12-8000- 354300x8000000000000000313035Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:01.802{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-56732-false10.0.1.12-8000- 354300x8000000000000000313036Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:07.781{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-56734-false10.0.1.12-8000- 154100x8000000000000000313037Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:08.322{ec2a0601-f470-63e4-6844-6bcbc8550000}2471/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313038Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:08.333{ec2a0601-f470-63e4-6844-6bcbc8550000}2471/bin/psroot 354300x8000000000000000313039Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:13.603{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35806-false10.0.1.12-8000- 354300x8000000000000000313040Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:18.748{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35808-false10.0.1.12-8000- 23542300x8000000000000000313041Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:20.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313042Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:24.607{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-59210-false10.0.1.12-8000- 354300x8000000000000000313043Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:29.640{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-59216-false10.0.1.12-8000- 354300x8000000000000000313044Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:34.660{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49628-false10.0.1.12-8000- 354300x8000000000000000313045Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:39.726{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49636-false10.0.1.12-8000- 354300x8000000000000000313046Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:44.754{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39740-false10.0.1.12-8000- 354300x8000000000000000313047Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:48.001{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-42626-false10.0.1.12-8089- 23542300x8000000000000000313048Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:50.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313049Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:50.594{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57708-false10.0.1.12-8000- 354300x8000000000000000313050Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:26:55.768{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57710-false10.0.1.12-8000- 354300x8000000000000000313051Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:01.646{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52690-false10.0.1.12-8000- 354300x8000000000000000313052Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:07.606{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52692-false10.0.1.12-8000- 154100x8000000000000000313053Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:09.386{ec2a0601-f4ad-63e4-6834-edd149560000}2472/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313054Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:09.397{ec2a0601-f4ad-63e4-6834-edd149560000}2472/bin/psroot 354300x8000000000000000313055Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:12.616{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40822-false10.0.1.12-8000- 354300x8000000000000000313056Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:17.804{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40832-false10.0.1.12-8000- 23542300x8000000000000000313057Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:20.297{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313058Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:22.817{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-43562-false10.0.1.12-8000- 354300x8000000000000000313059Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:28.679{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-43570-false10.0.1.12-8000- 354300x8000000000000000313060Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:33.718{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38116-false10.0.1.12-8000- 354300x8000000000000000313061Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:38.730{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38124-false10.0.1.12-8000- 354300x8000000000000000313062Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:43.738{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58294-false10.0.1.12-8000- 354300x8000000000000000313063Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:48.004{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-53630-false10.0.1.12-8089- 354300x8000000000000000313064Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:48.805{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58298-false10.0.1.12-8000- 23542300x8000000000000000313065Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:50.300{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313066Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:54.666{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-54024-false10.0.1.12-8000- 354300x8000000000000000313067Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:27:59.706{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-54038-false10.0.1.12-8000- 354300x8000000000000000313068Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:04.779{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41826-false10.0.1.12-8000- 354300x8000000000000000313069Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:07.518{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcpfalsefalse104.131.128.12-41912-false10.0.1.20-8089- 354300x8000000000000000313070Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:09.811{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41832-false10.0.1.12-8000- 154100x8000000000000000313071Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:10.398{ec2a0601-f4ea-63e4-6884-42dcb8550000}2473/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313072Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:10.410{ec2a0601-f4ea-63e4-6884-42dcb8550000}2473/bin/psroot 354300x8000000000000000313073Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:15.700{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50358-false10.0.1.12-8000- 23542300x8000000000000000313074Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:20.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313075Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:20.783{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45860-false10.0.1.12-8000- 354300x8000000000000000313076Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:26.678{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45874-false10.0.1.12-8000- 354300x8000000000000000313077Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:32.647{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47356-false10.0.1.12-8000- 354300x8000000000000000313078Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:38.620{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47372-false10.0.1.12-8000- 354300x8000000000000000313079Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:44.588{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57148-false10.0.1.12-8000- 354300x8000000000000000313080Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:48.009{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-40194-false10.0.1.12-8089- 354300x8000000000000000313081Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:49.694{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57160-false10.0.1.12-8000- 23542300x8000000000000000313082Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:50.283{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313083Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:28:54.795{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44372-false10.0.1.12-8000- 354300x8000000000000000313084Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:00.594{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40576-false10.0.1.12-8000- 354300x8000000000000000313085Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:05.683{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40590-false10.0.1.12-8000- 354300x8000000000000000313086Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:10.785{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35534-false10.0.1.12-8000- 154100x8000000000000000313087Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:11.471{ec2a0601-f527-63e4-68c4-dfd36d550000}2474/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313088Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:11.482{ec2a0601-f527-63e4-68c4-dfd36d550000}2474/bin/psroot 354300x8000000000000000313089Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:16.610{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35546-false10.0.1.12-8000- 23542300x8000000000000000313090Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:20.131{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313091Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:21.683{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58180-false10.0.1.12-8000- 354300x8000000000000000313092Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:26.718{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58184-false10.0.1.12-8000- 354300x8000000000000000313093Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:31.786{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50746-false10.0.1.12-8000- 354300x8000000000000000313094Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:37.676{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50762-false10.0.1.12-8000- 354300x8000000000000000313095Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:42.694{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34916-false10.0.1.12-8000- 354300x8000000000000000313096Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:47.807{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34922-false10.0.1.12-8000- 354300x8000000000000000313097Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:48.014{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-33722-false10.0.1.12-8089- 23542300x8000000000000000313098Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:50.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313099Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:53.769{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58676-false10.0.1.12-8000- 354300x8000000000000000313100Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:29:59.679{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58688-false10.0.1.12-8000- 354300x8000000000000000313101Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:05.635{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38566-false10.0.1.12-8000- 354300x8000000000000000313102Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:10.663{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51366-false10.0.1.12-8000- 154100x8000000000000000313103Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:12.484{ec2a0601-f564-63e4-68c4-e22fa4550000}2475/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313104Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:12.497{ec2a0601-f564-63e4-68c4-e22fa4550000}2475/bin/psroot 354300x8000000000000000313105Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:15.683{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51380-false10.0.1.12-8000- 23542300x8000000000000000313106Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:20.300{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313107Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:20.815{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34792-false10.0.1.12-8000- 354300x8000000000000000313108Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:26.703{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34796-false10.0.1.12-8000- 354300x8000000000000000313109Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:32.592{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44406-false10.0.1.12-8000- 354300x8000000000000000313110Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:37.630{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44418-false10.0.1.12-8000- 354300x8000000000000000313111Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:42.672{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50392-false10.0.1.12-8000- 534500x8000000000000000313112Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:43.585{ec2a0601-d380-63e4-c8fa-9aebae550000}451/lib/systemd/systemd-journaldroot 354300x8000000000000000313113Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:47.818{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50394-false10.0.1.12-8000- 354300x8000000000000000313114Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:48.019{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-52438-false10.0.1.12-8089- 23542300x8000000000000000313115Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:50.165{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313116Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:53.598{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41402-false10.0.1.12-8000- 354300x8000000000000000313117Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:30:58.638{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41412-false10.0.1.12-8000- 354300x8000000000000000313118Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:03.718{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36748-false10.0.1.12-8000- 354300x8000000000000000313119Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:09.684{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36764-false10.0.1.12-8000- 154100x8000000000000000313120Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:13.556{ec2a0601-f5a1-63e4-6814-0777e0550000}2477/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313121Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:13.567{ec2a0601-f5a1-63e4-6814-0777e0550000}2477/bin/psroot 354300x8000000000000000313122Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:14.803{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49612-false10.0.1.12-8000- 23542300x8000000000000000313123Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:20.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313124Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:20.715{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53564-false10.0.1.12-8000- 354300x8000000000000000313125Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:25.820{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53578-false10.0.1.12-8000- 354300x8000000000000000313126Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:31.730{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36296-false10.0.1.12-8000- 354300x8000000000000000313127Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:37.686{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36300-false10.0.1.12-8000- 354300x8000000000000000313128Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:43.661{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49590-false10.0.1.12-8000- 354300x8000000000000000313129Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:48.025{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-60830-false10.0.1.12-8089- 354300x8000000000000000313130Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:48.672{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49602-false10.0.1.12-8000- 23542300x8000000000000000313131Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:50.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313132Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:53.688{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57930-false10.0.1.12-8000- 354300x8000000000000000313133Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:31:58.785{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57938-false10.0.1.12-8000- 354300x8000000000000000313134Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:04.709{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-59354-false10.0.1.12-8000- 354300x8000000000000000313135Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:10.641{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51002-false10.0.1.12-8000- 154100x8000000000000000313136Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:14.569{ec2a0601-f5de-63e4-6894-b932c0550000}2478/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313137Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:14.581{ec2a0601-f5de-63e4-6894-b932c0550000}2478/bin/psroot 354300x8000000000000000313138Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:15.679{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51014-false10.0.1.12-8000- 23542300x8000000000000000313139Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:20.288{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313140Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:21.595{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36132-false10.0.1.12-8000- 354300x8000000000000000313141Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:26.749{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36138-false10.0.1.12-8000- 354300x8000000000000000313142Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:32.701{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-42682-false10.0.1.12-8000- 354300x8000000000000000313143Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:38.588{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-42688-false10.0.1.12-8000- 354300x8000000000000000313144Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:43.686{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51688-false10.0.1.12-8000- 354300x8000000000000000313145Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:48.029{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-48298-false10.0.1.12-8089- 354300x8000000000000000313146Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:48.743{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51694-false10.0.1.12-8000- 23542300x8000000000000000313147Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:50.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313148Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:53.767{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-54638-false10.0.1.12-8000- 354300x8000000000000000313149Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:32:59.703{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-54644-false10.0.1.12-8000- 154100x8000000000000000313151Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:01.522{ec2a0601-f60d-63e4-e0d7-906397550000}2479/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1122--- 354300x8000000000000000313150Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:01.522{ec2a0601-d386-63e4-e0b7-6ff341560000}1122/usr/sbin/sshdroottcpfalsefalse162.142.125.9-42256-false10.0.1.20-22- 354300x8000000000000000313152Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:05.623{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-43460-false10.0.1.12-8000- 354300x8000000000000000313153Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:10.713{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39246-false10.0.1.12-8000- 154100x8000000000000000313154Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:15.584{ec2a0601-f61b-63e4-68a4-7c9441560000}2481/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313155Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:15.594{ec2a0601-f61b-63e4-68a4-7c9441560000}2481/bin/psroot 534500x8000000000000000313157Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:16.558{ec2a0601-f60d-63e4-e0d7-906397550000}2479/usr/sbin/sshdroot 534500x8000000000000000313156Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:16.558{ec2a0601-f60d-63e4-0000-000000000000}2480-sshd 354300x8000000000000000313158Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:16.681{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-39252-false10.0.1.12-8000- 23542300x8000000000000000313159Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:20.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313160Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:21.684{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45558-false10.0.1.12-8000- 354300x8000000000000000313161Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:26.692{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45572-false10.0.1.12-8000- 354300x8000000000000000313162Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:31.780{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37732-false10.0.1.12-8000- 354300x8000000000000000313163Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:37.718{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37746-false10.0.1.12-8000- 354300x8000000000000000313164Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:42.781{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41916-false10.0.1.12-8000- 354300x8000000000000000313165Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:48.033{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-41606-false10.0.1.12-8089- 354300x8000000000000000313166Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:48.740{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41926-false10.0.1.12-8000- 23542300x8000000000000000313167Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:50.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313168Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:54.667{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47498-false10.0.1.12-8000- 354300x8000000000000000313169Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:33:59.751{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47502-false10.0.1.12-8000- 354300x8000000000000000313170Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:05.603{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49764-false10.0.1.12-8000- 354300x8000000000000000313171Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:10.730{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47860-false10.0.1.12-8000- 354300x8000000000000000313172Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:16.590{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-47874-false10.0.1.12-8000- 154100x8000000000000000313173Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:16.596{ec2a0601-f658-63e4-6814-c54fa4550000}2482/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313174Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:16.608{ec2a0601-f658-63e4-6814-c54fa4550000}2482/bin/psroot 23542300x8000000000000000313175Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:20.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313176Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:21.759{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49766-false10.0.1.12-8000- 354300x8000000000000000313177Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:26.775{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49772-false10.0.1.12-8000- 354300x8000000000000000313178Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:32.688{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35842-false10.0.1.12-8000- 354300x8000000000000000313179Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:38.585{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35858-false10.0.1.12-8000- 354300x8000000000000000313180Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:44.585{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36162-false10.0.1.12-8000- 354300x8000000000000000313181Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:48.037{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-47564-false10.0.1.12-8089- 354300x8000000000000000313182Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:49.702{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36168-false10.0.1.12-8000- 23542300x8000000000000000313183Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:50.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313184Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:34:54.760{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49368-false10.0.1.12-8000- 354300x8000000000000000313185Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:00.654{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34010-false10.0.1.12-8000- 354300x8000000000000000313186Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:05.730{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-34018-false10.0.1.12-8000- 354300x8000000000000000313187Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:10.737{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58668-false10.0.1.12-8000- 354300x8000000000000000313188Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:16.605{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58680-false10.0.1.12-8000- 154100x8000000000000000313189Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:17.668{ec2a0601-f695-63e4-6894-3f43be550000}2484/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313190Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:17.679{ec2a0601-f695-63e4-6894-3f43be550000}2484/bin/psroot 23542300x8000000000000000313191Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:20.301{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313192Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:21.642{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53330-false10.0.1.12-8000- 354300x8000000000000000313193Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:26.716{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53338-false10.0.1.12-8000- 354300x8000000000000000313194Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:31.829{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49518-false10.0.1.12-8000- 354300x8000000000000000313195Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:37.776{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49532-false10.0.1.12-8000- 354300x8000000000000000313198Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:39.893{ec2a0601-d381-63e4-7096-b67626560000}641/lib/systemd/systemd-timesyncdsystemd-timesyncudpfalsefalse0.0.0.0-0-false0.0.0.0-40993- 534500x8000000000000000313197Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:39.893{ec2a0601-d383-63e4-90a6-76288b550000}871/lib/systemd/systemd-networkdsystemd-network 354300x8000000000000000313196Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:39.893{ec2a0601-d383-63e4-90a6-76288b550000}871/lib/systemd/systemd-networkd-udptruefalse10.0.1.20-68-false10.0.1.1-67- 354300x8000000000000000313199Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:39.894{ec2a0601-d381-63e4-7096-b67626560000}641/lib/systemd/systemd-timesyncdsystemd-timesyncudptruefalse10.0.1.20-40993-false169.254.169.123-123- 354300x8000000000000000313200Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:43.651{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49332-false10.0.1.12-8000- 534500x8000000000000000313201Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:43.660{ec2a0601-d380-63e4-c8fa-9aebae550000}451/lib/systemd/systemd-journaldroot 354300x8000000000000000313202Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:48.042{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-35986-false10.0.1.12-8089- 354300x8000000000000000313203Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:48.759{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-49336-false10.0.1.12-8000- 23542300x8000000000000000313204Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:50.165{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313205Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:35:54.642{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38076-false10.0.1.12-8000- 354300x8000000000000000313206Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:00.620{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37732-false10.0.1.12-8000- 354300x8000000000000000313207Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:06.610{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37742-false10.0.1.12-8000- 354300x8000000000000000313208Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:11.689{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-59432-false10.0.1.12-8000- 354300x8000000000000000313209Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:17.677{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-59446-false10.0.1.12-8000- 154100x8000000000000000313210Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:18.680{ec2a0601-f6d2-63e4-68d4-5e932e560000}2487/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313211Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:18.691{ec2a0601-f6d2-63e4-68d4-5e932e560000}2487/bin/psroot 23542300x8000000000000000313212Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:20.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313213Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:23.615{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37534-false10.0.1.12-8000- 354300x8000000000000000313214Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:28.726{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37540-false10.0.1.12-8000- 354300x8000000000000000313215Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:33.833{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37148-false10.0.1.12-8000- 354300x8000000000000000313216Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:39.719{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-37156-false10.0.1.12-8000- 354300x8000000000000000313217Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:44.722{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36600-false10.0.1.12-8000- 354300x8000000000000000313218Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:48.048{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-33856-false10.0.1.12-8089- 354300x8000000000000000313219Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:49.813{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-36602-false10.0.1.12-8000- 23542300x8000000000000000313220Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:50.297{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313221Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:36:55.712{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38874-false10.0.1.12-8000- 354300x8000000000000000313222Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:01.637{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45720-false10.0.1.12-8000- 354300x8000000000000000313223Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:06.714{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45726-false10.0.1.12-8000- 154100x8000000000000000313225Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:12.027{ec2a0601-f708-63e4-e0c7-5e08fa550000}2488/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1122--- 354300x8000000000000000313224Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:12.027{ec2a0601-d386-63e4-e0b7-6ff341560000}1122/usr/sbin/sshdroottcpfalsefalse175.205.155.135-62824-false10.0.1.20-22- 354300x8000000000000000313226Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:12.674{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-46680-false10.0.1.12-8000- 534500x8000000000000000313227Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:15.080{ec2a0601-f708-63e4-0000-000000000000}2489-sshd 534500x8000000000000000313228Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:15.081{ec2a0601-f708-63e4-e0c7-5e08fa550000}2488/usr/sbin/sshdroot 354300x8000000000000000313229Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:15.440{ec2a0601-d386-63e4-e0b7-6ff341560000}1122/usr/sbin/sshdroottcpfalsefalse175.205.155.135-62853-false10.0.1.20-22- 154100x8000000000000000313230Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:15.441{ec2a0601-f70b-63e4-e057-ccf2ce550000}2490/usr/sbin/sshd-----/usr/sbin/sshd -D -R/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1122--- 534500x8000000000000000313231Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:17.671{ec2a0601-f70b-63e4-0000-000000000000}2491-sshd 534500x8000000000000000313232Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:17.672{ec2a0601-f70b-63e4-e057-ccf2ce550000}2490/usr/sbin/sshdroot 354300x8000000000000000313233Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:17.759{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-46682-false10.0.1.12-8000- 154100x8000000000000000313234Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:19.751{ec2a0601-f70f-63e4-68e4-ac2a4a560000}2492/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313235Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:19.763{ec2a0601-f70f-63e4-68e4-ac2a4a560000}2492/bin/psroot 23542300x8000000000000000313236Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:20.297{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313237Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:23.623{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51334-false10.0.1.12-8000- 354300x8000000000000000313238Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:28.746{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51342-false10.0.1.12-8000- 354300x8000000000000000313239Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:33.780{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53670-false10.0.1.12-8000- 354300x8000000000000000313240Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:39.704{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53684-false10.0.1.12-8000- 354300x8000000000000000313241Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:44.791{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58102-false10.0.1.12-8000- 354300x8000000000000000313242Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:48.052{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-35474-false10.0.1.12-8089- 23542300x8000000000000000313243Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:50.309{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313244Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:50.729{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50764-false10.0.1.12-8000- 354300x8000000000000000313245Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:37:56.647{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50780-false10.0.1.12-8000- 354300x8000000000000000313246Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:01.774{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50352-false10.0.1.12-8000- 534500x8000000000000000313247Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:06.144{00000000-0000-0000-0000-000000000000}2493<unknown process>ubuntu 354300x8000000000000000313248Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:07.718{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-50366-false10.0.1.12-8000- 354300x8000000000000000313249Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:12.775{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45014-false10.0.1.12-8000- 354300x8000000000000000313250Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:18.623{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45026-false10.0.1.12-8000- 23542300x8000000000000000313251Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:20.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x8000000000000000313252Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:20.763{ec2a0601-f74c-63e4-6884-5f161e560000}2494/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313253Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:20.775{ec2a0601-f74c-63e4-6884-5f161e560000}2494/bin/psroot 354300x8000000000000000313254Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:23.678{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40220-false10.0.1.12-8000- 354300x8000000000000000313255Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:28.713{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-40226-false10.0.1.12-8000- 354300x8000000000000000313256Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:34.654{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35268-false10.0.1.12-8000- 354300x8000000000000000313257Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:39.777{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-35274-false10.0.1.12-8000- 354300x8000000000000000313258Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:45.769{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-57738-false10.0.1.12-8000- 354300x8000000000000000313259Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:48.056{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-47998-false10.0.1.12-8089- 23542300x8000000000000000313260Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:50.298{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 354300x8000000000000000313261Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:51.594{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44980-false10.0.1.12-8000- 354300x8000000000000000313262Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:38:56.725{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44982-false10.0.1.12-8000- 354300x8000000000000000313263Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:01.820{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52836-false10.0.1.12-8000- 354300x8000000000000000313264Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:07.767{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52842-false10.0.1.12-8000- 354300x8000000000000000313265Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:12.833{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53364-false10.0.1.12-8000- 354300x8000000000000000313266Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:18.690{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53374-false10.0.1.12-8000- 23542300x8000000000000000313267Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:20.310{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x8000000000000000313268Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:21.835{ec2a0601-f789-63e4-68d4-b82256550000}2495/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313269Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:21.847{ec2a0601-f789-63e4-68d4-b82256550000}2495/bin/psroot 354300x8000000000000000313270Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:24.669{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-51522-false10.0.1.12-8000- 534500x8000000000000000313271Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:25.657{00000000-0000-0000-0000-000000000000}2496<unknown process>ubuntu 354300x8000000000000000313272Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:30.646{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38098-false10.0.1.12-8000- 154100x8000000000000000313273Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.872{ec2a0601-f797-63e4-088e-60829d550000}2497/usr/bin/sudo-----sudo su/home/ubuntuubuntu{ec2a0601-e84f-63e4-e803-000000000000}10003no level-{ec2a0601-e84e-63e4-4874-fed5d2550000}2380/bin/bash-bashubuntu 354300x8000000000000000313277Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.889{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-59316-false10.0.0.2-53- 354300x8000000000000000313276Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.889{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-56727-false10.0.0.2-53- 354300x8000000000000000313275Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.889{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudpfalsefalse0.0.0.0-0-false127.0.0.53-53- 354300x8000000000000000313274Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.889{ec2a0601-f797-63e4-088e-60829d550000}2497/usr/bin/sudoubuntuudptruefalse127.0.0.1-33193-false127.0.0.53-53- 354300x8000000000000000313278Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.890{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudpfalsefalse10.0.0.2-53-false10.0.1.20-59316- 354300x8000000000000000313281Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.891{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-51640- 354300x8000000000000000313280Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.891{ec2a0601-f797-63e4-088e-60829d550000}2497/usr/bin/sudoubuntuudptruefalse127.0.0.1-51640-false127.0.0.53-53- 354300x8000000000000000313279Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.891{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-33193- 23542300x8000000000000000313282Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.893{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313283Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.894{00000000-0000-0000-0000-000000000000}2498<unknown process>root 154100x8000000000000000313284Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.895{ec2a0601-f797-63e4-88cd-99b978550000}2499/bin/su-----su/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f797-63e4-088e-60829d550000}2497/usr/bin/sudosudoubuntu 154100x8000000000000000313285Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.903{ec2a0601-f797-63e4-4834-f43c49560000}2500/bin/bash-----bash/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f797-63e4-88cd-99b978550000}2499/bin/susuroot 154100x8000000000000000313286Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.906{ec2a0601-f797-63e4-e0e0-04fb8f550000}2502/usr/bin/groups-----groups/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{00000000-0000-0000-0000-000000000000}2501--- 534500x8000000000000000313288Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.909{ec2a0601-f70b-63e4-0000-000000000000}2501-root 534500x8000000000000000313287Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.909{ec2a0601-f797-63e4-e0e0-04fb8f550000}2502/usr/bin/groupsroot 154100x8000000000000000313289Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.911{ec2a0601-f797-63e4-6862-e07dea550000}2504/bin/dash-----/bin/sh /usr/bin/lesspipe/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{00000000-0000-0000-0000-000000000000}2503--- 154100x8000000000000000313290Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.912{ec2a0601-f797-63e4-e86b-445572550000}2505/usr/bin/basename-----basename /usr/bin/lesspipe/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f797-63e4-6862-e07dea550000}2504/bin/dash/bin/shroot 534500x8000000000000000313291Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.913{ec2a0601-f797-63e4-e86b-445572550000}2505/usr/bin/basenameroot 154100x8000000000000000313292Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.914{ec2a0601-f797-63e4-e8b8-a9314a560000}2507/usr/bin/dirname-----dirname /usr/bin/lesspipe/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{00000000-0000-0000-0000-000000000000}2506--- 534500x8000000000000000313296Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.916{ec2a0601-f797-63e4-0000-000000000000}2503-root 534500x8000000000000000313295Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.916{ec2a0601-f797-63e4-6862-e07dea550000}2504/bin/dashroot 534500x8000000000000000313294Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.916{ec2a0601-f797-63e4-0000-000000000000}2506-root 534500x8000000000000000313293Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.916{ec2a0601-f797-63e4-e8b8-a9314a560000}2507/usr/bin/dirnameroot 154100x8000000000000000313297Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.918{ec2a0601-f797-63e4-4899-f4ab77550000}2509/usr/bin/dircolors-----dircolors -b/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{00000000-0000-0000-0000-000000000000}2508--- 534500x8000000000000000313299Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.919{ec2a0601-f797-63e4-0000-000000000000}2508-root 534500x8000000000000000313298Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:35.919{ec2a0601-f797-63e4-4899-f4ab77550000}2509/usr/bin/dircolorsroot 354300x8000000000000000313300Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:36.639{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-38102-false10.0.1.12-8000- 354300x8000000000000000313301Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:41.675{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53578-false10.0.1.12-8000- 354300x8000000000000000313302Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:46.788{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-53590-false10.0.1.12-8000- 354300x8000000000000000313303Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:48.061{ec2a0601-d388-63e4-60cc-4bf384550000}1525/opt/splunkforwarder/bin/splunkdroottcptruefalse10.0.1.20-57888-false10.0.1.12-8089- 23542300x8000000000000000313304Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:50.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x8000000000000000313305Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.073{ec2a0601-f7a8-63e4-083e-fd36d8550000}2510/usr/bin/sudo-----sudo sh -c echo 3/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f797-63e4-4834-f43c49560000}2500/bin/bashbashroot 354300x8000000000000000313308Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.076{ec2a0601-f7a8-63e4-083e-fd36d8550000}2510/usr/bin/sudorootudptruefalse127.0.0.1-53431-false127.0.0.53-53- 354300x8000000000000000313307Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.076{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-55896- 354300x8000000000000000313306Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.076{ec2a0601-f7a8-63e4-083e-fd36d8550000}2510/usr/bin/sudorootudptruefalse127.0.0.1-55896-false127.0.0.53-53- 354300x8000000000000000313309Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.077{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-53431- 154100x8000000000000000313310Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.079{ec2a0601-f7a8-63e4-68b2-cea334560000}2511/bin/dash-----sh -c echo 3/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f7a8-63e4-083e-fd36d8550000}2510/usr/bin/sudosudoroot 534500x8000000000000000313311Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.080{ec2a0601-f7a8-63e4-68b2-cea334560000}2511/bin/dashroot 534500x8000000000000000313312Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.081{ec2a0601-f7a8-63e4-083e-fd36d8550000}2510/usr/bin/sudoroot 354300x8000000000000000313313Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:52.713{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52040-false10.0.1.12-8000- 354300x8000000000000000313314Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:39:58.649{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-52050-false10.0.1.12-8000- 154100x8000000000000000313315Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.781{ec2a0601-f7b0-63e4-088e-7871ef550000}2512/usr/bin/sudo-----sudo sh -c echo 3 > /proc/sys/vm/drop_caches/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f797-63e4-4834-f43c49560000}2500/bin/bashbashroot 354300x8000000000000000313319Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.785{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-42052- 354300x8000000000000000313318Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.785{ec2a0601-f7b0-63e4-088e-7871ef550000}2512/usr/bin/sudorootudptruefalse127.0.0.1-42052-false127.0.0.53-53- 354300x8000000000000000313317Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.785{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-48263- 354300x8000000000000000313316Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.785{ec2a0601-f7b0-63e4-088e-7871ef550000}2512/usr/bin/sudorootudptruefalse127.0.0.1-48263-false127.0.0.53-53- 154100x8000000000000000313320Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.790{ec2a0601-f7b0-63e4-6872-392cdf550000}2513/bin/dash-----sh -c echo 3 > /proc/sys/vm/drop_caches/home/ubunturoot{ec2a0601-0000-0000-0000-000000000000}03no level-{ec2a0601-f7b0-63e4-088e-7871ef550000}2512/usr/bin/sudosudoroot 534500x8000000000000000313324Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.803{00000000-0000-0000-0000-000000000000}2517<unknown process>root 534500x8000000000000000313323Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.803{00000000-0000-0000-0000-000000000000}2518<unknown process>root 534500x8000000000000000313322Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.803{ec2a0601-f7b0-63e4-0000-000000000000}2519-root 23542300x8000000000000000313321Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.803{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313327Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.804{00000000-0000-0000-0000-000000000000}2516<unknown process>root 534500x8000000000000000313326Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.804{00000000-0000-0000-0000-000000000000}2515<unknown process>root 534500x8000000000000000313325Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.804{ec2a0601-f7b0-63e4-0000-000000000000}2514-root 534500x8000000000000000313329Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.807{ec2a0601-f7b0-63e4-0000-000000000000}2520-root 23542300x8000000000000000313328Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.807{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313331Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.838{ec2a0601-f7b0-63e4-0000-000000000000}2521-root 23542300x8000000000000000313330Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.838{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313334Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.850{00000000-0000-0000-0000-000000000000}2524<unknown process>root 534500x8000000000000000313333Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.850{ec2a0601-f7b0-63e4-0000-000000000000}2525-root 23542300x8000000000000000313332Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.850{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313336Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.851{ec2a0601-f7b0-63e4-0000-000000000000}2523-root 534500x8000000000000000313335Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.851{ec2a0601-f7b0-63e4-0000-000000000000}2522-root 534500x8000000000000000313341Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.861{00000000-0000-0000-0000-000000000000}2529<unknown process>root 534500x8000000000000000313340Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.861{00000000-0000-0000-0000-000000000000}2526<unknown process>root 534500x8000000000000000313339Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.861{00000000-0000-0000-0000-000000000000}2528<unknown process>root 534500x8000000000000000313338Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.861{00000000-0000-0000-0000-000000000000}2527<unknown process>root 23542300x8000000000000000313337Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.861{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313343Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.876{ec2a0601-f7b0-63e4-0000-000000000000}2530-root 23542300x8000000000000000313342Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.876{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313348Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.881{00000000-0000-0000-0000-000000000000}2532<unknown process>root 534500x8000000000000000313347Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.881{00000000-0000-0000-0000-000000000000}2534<unknown process>root 534500x8000000000000000313346Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.881{00000000-0000-0000-0000-000000000000}2531<unknown process>root 534500x8000000000000000313345Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.881{00000000-0000-0000-0000-000000000000}2533<unknown process>root 23542300x8000000000000000313344Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.881{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313350Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.888{00000000-0000-0000-0000-000000000000}2535<unknown process>root 23542300x8000000000000000313349Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.888{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313351Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.890{ec2a0601-f7b0-63e4-6872-392cdf550000}2513/bin/dashroot 534500x8000000000000000313352Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.893{ec2a0601-f7b0-63e4-088e-7871ef550000}2512/usr/bin/sudoroot 23542300x8000000000000000313353Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.914{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313364Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{00000000-0000-0000-0000-000000000000}2547<unknown process>root 534500x8000000000000000313362Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{00000000-0000-0000-0000-000000000000}2539<unknown process>root 534500x8000000000000000313359Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{00000000-0000-0000-0000-000000000000}2536<unknown process>root 534500x8000000000000000313358Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{00000000-0000-0000-0000-000000000000}2542<unknown process>root 534500x8000000000000000313355Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{00000000-0000-0000-0000-000000000000}2537<unknown process>root 534500x8000000000000000313354Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.915{ec2a0601-f7b0-63e4-0000-000000000000}2538-root 534500x8000000000000000313365Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2545<unknown process>root 534500x8000000000000000313363Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2540<unknown process>root 534500x8000000000000000313361Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2543<unknown process>root 534500x8000000000000000313360Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2548<unknown process>root 534500x8000000000000000313357Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2544<unknown process>root 534500x8000000000000000313356Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.916{00000000-0000-0000-0000-000000000000}2541<unknown process>root 534500x8000000000000000313366Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.918{ec2a0601-f7b0-63e4-0000-000000000000}2546-root 534500x8000000000000000313368Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.921{00000000-0000-0000-0000-000000000000}2549<unknown process>root 23542300x8000000000000000313367Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.921{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313370Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.922{00000000-0000-0000-0000-000000000000}2550<unknown process>root 534500x8000000000000000313369Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:00.922{00000000-0000-0000-0000-000000000000}2551<unknown process>root 354300x8000000000000000313371Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:03.684{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45564-false10.0.1.12-8000- 354300x8000000000000000313372Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:09.607{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-45572-false10.0.1.12-8000- 354300x8000000000000000313373Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:14.643{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-42146-false10.0.1.12-8000- 354300x8000000000000000313374Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:19.828{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-42148-false10.0.1.12-8000- 23542300x8000000000000000313375Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:20.299{ec2a0601-d388-63e4-60cc-4bf384550000}1525root/opt/splunkforwarder/bin/splunkd/opt/splunkforwarder/var/spool/splunk/tracker.log--- 154100x8000000000000000313376Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:22.851{ec2a0601-f7c6-63e4-6804-daa0cc550000}2552/bin/ps-----ps -e -o pid,ppid,state,command/var/snap/amazon-ssm-agent/6312root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}1072--- 534500x8000000000000000313377Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:22.893{ec2a0601-f7c6-63e4-6804-daa0cc550000}2552/bin/psroot 354300x8000000000000000313378Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:25.655{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-41092-false10.0.1.12-8000- 354300x8000000000000000313379Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:30.808{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44178-false10.0.1.12-8000- 354300x8000000000000000313380Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:36.774{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-44182-false10.0.1.12-8000- 354300x8000000000000000313381Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:42.660{ec2a0601-d3c7-63e4-d9ff-4d0400000000}1984/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwdroottcptruefalse10.0.1.20-58266-false10.0.1.12-8000- 534500x8000000000000000313382Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:43.834{ec2a0601-d380-63e4-c8fa-9aebae550000}451/lib/systemd/systemd-journaldroot 154100x8000000000000000313383Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.204{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash-----/bin/sh /etc/update-motd.d/50-motd-news --force/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-d379-63e4-5859-31fca3550000}1/lib/systemd/systemd/sbin/initroot 154100x8000000000000000313384Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.211{ec2a0601-f7dc-63e4-a8c0-0ff2e0550000}2555/bin/mktemp-----mktemp/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313386Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.216{ec2a0601-f7dc-63e4-a8a0-cde085550000}2565/bin/mktemp-----mktemp/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313385Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.216{ec2a0601-f7dc-63e4-a8c0-0ff2e0550000}2555/bin/mktemproot 154100x8000000000000000313388Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.218{ec2a0601-f7dc-63e4-a820-cebc08560000}2567/bin/mktemp-----mktemp/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313387Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.218{ec2a0601-f7dc-63e4-a8a0-cde085550000}2565/bin/mktemproot 534500x8000000000000000313389Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.219{ec2a0601-f7dc-63e4-a820-cebc08560000}2567/bin/mktemproot 23542300x8000000000000000313390Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.220{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 154100x8000000000000000313408Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-a0e2-969caa550000}2569/usr/bin/dpkg-query-----dpkg-query --list -- wget/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2568--- 154100x8000000000000000313402Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-f08c-030039560000}2570/usr/bin/gawk-----awk $1 == "ii" { print($3); exit(0); }/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2568--- 154100x8000000000000000313401Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-70c1-13b552560000}2569/usr/bin/dpkg-----dpkg -l wget/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2568--- 534500x8000000000000000313397Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-0000-000000000000}2561-root 534500x8000000000000000313396Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{00000000-0000-0000-0000-000000000000}2557<unknown process>root 534500x8000000000000000313395Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-0000-000000000000}2562-root 534500x8000000000000000313394Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{00000000-0000-0000-0000-000000000000}2566<unknown process>root 534500x8000000000000000313393Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{00000000-0000-0000-0000-000000000000}2556<unknown process>root 534500x8000000000000000313392Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-0000-000000000000}2558-root 534500x8000000000000000313391Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.221{ec2a0601-f7dc-63e4-0000-000000000000}2560-root 534500x8000000000000000313400Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.222{00000000-0000-0000-0000-000000000000}2564<unknown process>root 534500x8000000000000000313399Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.222{00000000-0000-0000-0000-000000000000}2559<unknown process>root 534500x8000000000000000313398Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.222{00000000-0000-0000-0000-000000000000}2563<unknown process>root 534500x8000000000000000313407Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.228{00000000-0000-0000-0000-000000000000}2574<unknown process>root 534500x8000000000000000313406Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.228{ec2a0601-f7dc-63e4-0000-000000000000}2571-root 534500x8000000000000000313405Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.228{ec2a0601-f7dc-63e4-0000-000000000000}2572-root 534500x8000000000000000313404Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.228{ec2a0601-f7dc-63e4-0000-000000000000}2573-root 23542300x8000000000000000313403Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.228{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313409Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.249{ec2a0601-f7dc-63e4-70c1-13b552560000}2569/usr/bin/dpkgroot 534500x8000000000000000313411Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.250{00000000-0000-0000-0000-000000000000}2568<unknown process>root 534500x8000000000000000313410Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.250{ec2a0601-f7dc-63e4-f08c-030039560000}2570/usr/bin/gawkroot 154100x8000000000000000313413Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.251{ec2a0601-f7dc-63e4-f8ba-76288e550000}2577/bin/sed-----sed -e s/ /\//g/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2575--- 534500x8000000000000000313412Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.251{00000000-0000-0000-0000-000000000000}2576<unknown process>root 534500x8000000000000000313414Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.255{ec2a0601-f7dc-63e4-f8ba-76288e550000}2577/bin/sedroot 154100x8000000000000000313416Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.256{ec2a0601-f7dc-63e4-807e-a17489550000}2578/bin/uname-----uname -o/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313415Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.256{00000000-0000-0000-0000-000000000000}2575<unknown process>root 154100x8000000000000000313418Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.259{ec2a0601-f7dc-63e4-80de-d78080550000}2579/bin/uname-----uname -r/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313417Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.259{ec2a0601-f7dc-63e4-807e-a17489550000}2578/bin/unameroot 154100x8000000000000000313420Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.260{ec2a0601-f7dc-63e4-80ee-067717560000}2580/bin/uname-----uname -m/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313419Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.260{ec2a0601-f7dc-63e4-80de-d78080550000}2579/bin/unameroot 154100x8000000000000000313422Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.261{ec2a0601-f7dc-63e4-800e-2a53ec550000}2581/bin/uname-----uname -m/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313421Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.261{ec2a0601-f7dc-63e4-80ee-067717560000}2580/bin/unameroot 154100x8000000000000000313425Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.262{ec2a0601-f7dc-63e4-50ac-6bdc63550000}2583/bin/grep-----grep -m1 ^model name /proc/cpuinfo/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2582--- 534500x8000000000000000313423Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.262{ec2a0601-f7dc-63e4-800e-2a53ec550000}2581/bin/unameroot 154100x8000000000000000313424Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.263{ec2a0601-f7dc-63e4-f87a-e759fd550000}2584/bin/sed-----sed -e s/.*: // -e s:\s\+:/:g/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2582--- 534500x8000000000000000313426Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.267{ec2a0601-f7dc-63e4-50ac-6bdc63550000}2583/bin/greproot 154100x8000000000000000313429Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.268{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6-----/usr/bin/python3 /usr/bin/cloud-id/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313428Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.268{ec2a0601-f7dc-63e4-0000-000000000000}2582-root 534500x8000000000000000313427Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.268{ec2a0601-f7dc-63e4-f87a-e759fd550000}2584/bin/sedroot 534500x8000000000000000313431Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.288{00000000-0000-0000-0000-000000000000}2586<unknown process>root 23542300x8000000000000000313430Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.288{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 23542300x8000000000000000313432Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.311{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313435Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.312{00000000-0000-0000-0000-000000000000}2587<unknown process>root 534500x8000000000000000313434Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.312{00000000-0000-0000-0000-000000000000}2588<unknown process>root 534500x8000000000000000313433Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.312{ec2a0601-f7dc-63e4-0000-000000000000}2589-root 23542300x8000000000000000313436Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.827{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313437Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.828{ec2a0601-f7dc-63e4-0000-000000000000}2590-root 154100x8000000000000000313439Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.846{ec2a0601-f7dc-63e4-b871-56b44c7f0000}2591/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 154100x8000000000000000313438Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.846{ec2a0601-f7dc-63e4-6812-6873b7550000}2591/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 534500x8000000000000000313440Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.860{ec2a0601-f7dc-63e4-6812-6873b7550000}2591/bin/dashroot 154100x8000000000000000313442Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.965{ec2a0601-f7dc-63e4-b8f1-5cd8737f0000}2592/sbin/ldconfig.real-----/sbin/ldconfig.real -p/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 154100x8000000000000000313441Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.965{ec2a0601-f7dc-63e4-6892-868dfe550000}2592/bin/dash-----/bin/sh /sbin/ldconfig -p/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 534500x8000000000000000313443Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:44.968{ec2a0601-f7dc-63e4-6892-868dfe550000}2592/bin/dashroot 154100x8000000000000000313444Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.107{ec2a0601-f7dd-63e4-6892-712407560000}2593/bin/dash-----/bin/sh -c uname -p 2> /dev/null/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 154100x8000000000000000313445Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.109{ec2a0601-f7dd-63e4-80de-847deb550000}2594/bin/uname-----uname -p/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dd-63e4-6892-712407560000}2593/bin/dash/bin/shroot 534500x8000000000000000313447Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.110{ec2a0601-f7dd-63e4-6892-712407560000}2593/bin/dashroot 534500x8000000000000000313446Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.110{ec2a0601-f7dd-63e4-80de-847deb550000}2594/bin/unameroot 154100x8000000000000000313448Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.328{ec2a0601-f7dd-63e4-7876-0b8c7d550000}2595/usr/bin/systemd-detect-virt-----systemd-detect-virt --quiet --container/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6/usr/bin/python3root 534500x8000000000000000313449Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.346{ec2a0601-f7dd-63e4-7876-0b8c7d550000}2595/usr/bin/systemd-detect-virtroot 534500x8000000000000000313450Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.437{ec2a0601-f7dc-63e4-2030-7b0000000000}2585/usr/bin/python3.6root 154100x8000000000000000313452Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.438{ec2a0601-f7dd-63e4-b850-7e313b560000}2597/usr/bin/cut-----cut -c -40 /tmp/tmp.8ifRwUiVyu/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2596--- 154100x8000000000000000313451Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.438{ec2a0601-f7dd-63e4-e0a5-4407cc550000}2598/usr/bin/tr-----tr -c -d [:alnum:]/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{00000000-0000-0000-0000-000000000000}2596--- 534500x8000000000000000313453Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.440{ec2a0601-f7dd-63e4-b850-7e313b560000}2597/usr/bin/cutroot 154100x8000000000000000313456Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.441{ec2a0601-f7dd-63e4-706c-1b7e85550000}2599/usr/bin/wget-----wget --timeout 60 -U wget/1.19.4-1ubuntu2.2 Ubuntu/18.04.6/LTS GNU/Linux/5.4.0-1094-aws/x86_64 Intel(R)/Xeon(R)/Platinum/8259CL/CPU/@/2.50GHz cloud_id/aws -O- --content-on-error https://motd.ubuntu.com/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313455Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.441{ec2a0601-f7dc-63e4-0000-000000000000}2596-root 534500x8000000000000000313454Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.441{ec2a0601-f7dd-63e4-e0a5-4407cc550000}2598/usr/bin/trroot 354300x8000000000000000313457Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.462{ec2a0601-f7dd-63e4-706c-1b7e85550000}2599/usr/bin/wgetrootudptruefalse127.0.0.1-50915-false127.0.0.53-53- 354300x8000000000000000313460Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.463{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse127.0.0.53-53-false127.0.0.1-50915- 354300x8000000000000000313459Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.463{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-33519-false10.0.0.2-53- 354300x8000000000000000313458Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.463{ec2a0601-d383-63e4-6078-25ee5a550000}898/lib/systemd/systemd-resolvedsystemd-resolveudptruefalse10.0.1.20-52414-false10.0.0.2-53- 534500x8000000000000000313462Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.466{ec2a0601-f7dc-63e4-0000-000000000000}2600-root 23542300x8000000000000000313461Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.466{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313463Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.467{00000000-0000-0000-0000-000000000000}2601<unknown process>root 354300x8000000000000000313464Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.546{ec2a0601-f7dd-63e4-706c-1b7e85550000}2599/usr/bin/wgetroottcptruefalse10.0.1.20-33554-false34.254.182.186-443- 534500x8000000000000000313465Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.795{ec2a0601-f7dd-63e4-706c-1b7e85550000}2599/usr/bin/wgetroot 154100x8000000000000000313472Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.796{ec2a0601-f7dd-63e4-d0b9-99d87c550000}2602/bin/cat-----cat /tmp/tmp.d1Pr7zZTb3/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313468Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.796{ec2a0601-f7dd-63e4-7812-a381ed550000}2603/usr/bin/head-----head -n 10/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313467Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.796{ec2a0601-f7dd-63e4-b830-b3e47f550000}2606/usr/bin/cut-----cut -c -80/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313466Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.796{ec2a0601-f7dd-63e4-e0b5-172e02560000}2604/usr/bin/tr-----tr -d \000-\011\013\014\016-\037/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313471Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.798{00000000-0000-0000-0000-000000000000}2605<unknown process>root 534500x8000000000000000313470Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.798{00000000-0000-0000-0000-000000000000}2607<unknown process>root 23542300x8000000000000000313469Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.798{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313476Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.800{ec2a0601-f7dd-63e4-e0b5-172e02560000}2604/usr/bin/trroot 534500x8000000000000000313475Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.800{ec2a0601-f7dd-63e4-b830-b3e47f550000}2606/usr/bin/cutroot 534500x8000000000000000313474Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.800{ec2a0601-f7dd-63e4-7812-a381ed550000}2603/usr/bin/headroot 534500x8000000000000000313473Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.800{ec2a0601-f7dd-63e4-d0b9-99d87c550000}2602/bin/catroot 154100x8000000000000000313480Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.801{ec2a0601-f7dd-63e4-b8b0-01442f560000}2611/usr/bin/cut-----cut -c -80/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313479Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.801{ec2a0601-f7dd-63e4-e065-580cbe550000}2610/usr/bin/tr-----tr -d \000-\011\013\014\016-\037/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313478Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.801{ec2a0601-f7dd-63e4-78a2-456dfc550000}2609/usr/bin/head-----head -n 10/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 154100x8000000000000000313477Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.801{ec2a0601-f7dd-63e4-d049-c91f03560000}2608/bin/cat-----cat /tmp/tmp.d1Pr7zZTb3/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313483Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.802{ec2a0601-f7dd-63e4-e065-580cbe550000}2610/usr/bin/trroot 534500x8000000000000000313482Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.802{ec2a0601-f7dd-63e4-78a2-456dfc550000}2609/usr/bin/headroot 534500x8000000000000000313481Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.802{ec2a0601-f7dd-63e4-d049-c91f03560000}2608/bin/catroot 154100x8000000000000000313485Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.803{ec2a0601-f7dd-63e4-7063-10c75f550000}2612/bin/rm-----rm -f /tmp/tmp.d1Pr7zZTb3 /tmp/tmp.NdF9Qi8z43 /tmp/tmp.8ifRwUiVyu/root{ec2a0601-0000-0000-0000-000000000000}04294967295no level-{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dash/bin/shroot 534500x8000000000000000313484Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.803{ec2a0601-f7dd-63e4-b8b0-01442f560000}2611/usr/bin/cutroot 23542300x8000000000000000313487Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.805{ec2a0601-f7dd-63e4-7063-10c75f550000}2612root/bin/rm/tmp/tmp.NdF9Qi8z43--- 23542300x8000000000000000313486Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.805{ec2a0601-f7dd-63e4-7063-10c75f550000}2612root/bin/rm/tmp/tmp.d1Pr7zZTb3--- 23542300x8000000000000000313491Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.806{ec2a0601-d380-63e4-c8fa-9aebae550000}451root/lib/systemd/systemd-journald/run/systemd/journal/streams/9:32611--- 534500x8000000000000000313490Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.806{ec2a0601-f7dc-63e4-6892-c0cbe9550000}2554/bin/dashroot 534500x8000000000000000313489Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.806{ec2a0601-f7dd-63e4-7063-10c75f550000}2612/bin/rmroot 23542300x8000000000000000313488Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.806{ec2a0601-f7dd-63e4-7063-10c75f550000}2612root/bin/rm/tmp/tmp.8ifRwUiVyu--- 23542300x8000000000000000313492Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.807{ec2a0601-d379-63e4-5859-31fca3550000}1root/lib/systemd/systemd/run/systemd/units/invocation:motd-news.service--- 534500x8000000000000000313500Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2616<unknown process>root 534500x8000000000000000313499Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2622<unknown process>root 534500x8000000000000000313498Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2615<unknown process>root 534500x8000000000000000313497Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2614<unknown process>root 534500x8000000000000000313496Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2619<unknown process>root 534500x8000000000000000313495Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{00000000-0000-0000-0000-000000000000}2620<unknown process>root 534500x8000000000000000313494Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{ec2a0601-d380-63e4-c8fa-9aebae550000}2623-root 23542300x8000000000000000313493Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.869{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue--- 534500x8000000000000000313503Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.870{ec2a0601-f7dd-63e4-0000-000000000000}2621-root 534500x8000000000000000313502Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.870{00000000-0000-0000-0000-000000000000}2618<unknown process>root 534500x8000000000000000313501Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.870{00000000-0000-0000-0000-000000000000}2617<unknown process>root 534500x8000000000000000313505Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.893{ec2a0601-f7dd-63e4-0000-000000000000}2625-root 23542300x8000000000000000313504Linux-Sysmon/Operationalsysmonlinux-ctus-attack-range-8383-2023-02-09 13:40:45.893{ec2a0601-d381-63e4-28a0-4cd8dd550000}502root/lib/systemd/systemd-udevd/run/udev/queue---