5156101281000x8020000000000000328555Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328554Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135360%%1460836 5156101281000x8020000000000000328557Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328556Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135460%%1460836 5156101281000x8020000000000000328559Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328558Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135560%%1460836 5156101281000x8020000000000000328563Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe%%1459310.0.1.155135710.0.1.128089666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328562Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe0.0.0.05135760%%1460836 5156101281000x8020000000000000328561Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135610.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328560Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135660%%1460836 4688201331200x8020000000000000328566Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70xe68C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328565Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1578C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000328564Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1578C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328569Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1210C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 4688201331200x8020000000000000328568Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1210C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328567Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10xe68C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4689001331300x8020000000000000328571Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x16e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328570Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x16e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328575Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x9fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000328574Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x9fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328573Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x354C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328572Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x354C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328577Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135810.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328576Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135860%%1460836 4689001331300x8020000000000000328579Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x17e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 4688201331200x8020000000000000328578Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x17e8C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328581Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155135910.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328580Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05135960%%1460836 4688201331200x8020000000000000336690Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x880C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336689Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xf00C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328583Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136010.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328582Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136060%%1460836 4688201331200x8020000000000000336691Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1230C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000336695Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x4fe9d43 4624201254400x8020000000000000336694Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x4fe9d43KerberosKerberos-{48238CC2-5DA9-80AE-5604-EA8624F76BA0}--00x0-::154127%%1833---%%18430x0%%1842 4672001254800x8020000000000000336693Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x4fe9d4SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000336692Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336696Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336697Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x8bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328585Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136110.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328584Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136160%%1460836 4688201331200x8020000000000000336698Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x53cC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328587Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136210.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328586Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136260%%1460836 5152001280900x8010000000000000328588Securitywin-host-ctus-attack-range-1150-%%1459210.0.1.12808910.0.1.1551357667085%%1459713 4634001254500x8020000000000000336699Securitywin-dc-ctus-attack-range-146.attackrange.localATTACKRANGE\WIN-DC-CTUS-ATT$WIN-DC-CTUS-ATT$ATTACKRANGE0x4ddf1d3 4703001331700x8020000000000000328603Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328602Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328601Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328600Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328599Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328598Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4670001357000x8020000000000000328597Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0x14e0D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x35cC:\Windows\System32\svchost.exe 4703001331700x8020000000000000328596Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328595Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328594Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328593Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328592Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328591Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 5156101281000x8020000000000000328590Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328589Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136360%%1460836 5156101281000x8020000000000000328605Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328604Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136460%%1460836 5156101281000x8020000000000000328607Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328606Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136560%%1460836 5156101281000x8020000000000000328609Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136610.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328608Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136660%%1460836 5156101281000x8020000000000000328611Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136710.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328610Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136760%%1460836 5156101281000x8020000000000000328613Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe%%1459310.0.1.155136810.0.1.128089666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328612Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe0.0.0.05136860%%1460836 4688201331200x8020000000000000328616Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x13dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328615Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x10bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000328614Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328621Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000328620Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328619Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155136910.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328618Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05136960%%1460836 4689001331300x8020000000000000328617Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x13dcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 4689001331300x8020000000000000328623Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328622Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000328626Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328625Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x121cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000328624Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x121cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328627Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000328629Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1398C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 4688201331200x8020000000000000328628Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1398C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328631Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137010.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328630Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137060%%1460836 5156101281000x8020000000000000328633Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137110.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328632Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137160%%1460836 5156101281000x8020000000000000328634Securitywin-host-ctus-attack-range-115920\device\harddiskvolume1\windows\system32\svchost.exe%%14592156.96.115.745604210.0.1.153389666665%%1461044S-1-0-0S-1-0-0 4688201331200x8020000000000000336701Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336700Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x648C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336702Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x530C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328636Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137210.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328635Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137260%%1460836 4634001254500x8020000000000000336706Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x506c0c3 4624201254400x8020000000000000336705Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x506c0c3KerberosKerberos-{48238CC2-5DA9-80AE-5604-EA8624F76BA0}--00x0-::154140%%1833---%%18430x0%%1842 4672001254800x8020000000000000336704Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x506c0cSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000336703Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1238C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336708Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1034C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4957001357100x8010000000000000328640Securitywin-host-ctus-attack-range-115PlayTo-SSDP-Discovery-PlayToScopeCast to Device SSDP Discovery (UDP-In)Local Port 4957001357100x8010000000000000328639Securitywin-host-ctus-attack-range-115MDNS-In-UDPmDNS (UDP-In)Local Port 4957001357100x8010000000000000328638Securitywin-host-ctus-attack-range-115CoreNet-IPHTTPS-InCore Networking - IPHTTPS (TCP-In)Local Port 4957001357100x8010000000000000328637Securitywin-host-ctus-attack-range-115CoreNet-Teredo-InCore Networking - Teredo (UDP-In)Local Port 4688201331200x8020000000000000336707Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1170C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336709Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x8fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328642Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328641Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137360%%1460836 5152001280900x8010000000000000328643Securitywin-host-ctus-attack-range-1150-%%1459210.0.1.12808910.0.1.1551368667085%%1459713 5156101281000x8020000000000000328645Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328644Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137460%%1460836 4703001331700x8020000000000000328658Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328657Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328656Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328655Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328654Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328653Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4670001357000x8020000000000000328652Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0x1ba0D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x35cC:\Windows\System32\svchost.exe 4703001331700x8020000000000000328651Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328650Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328649Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328648Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328647Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328646Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 5156101281000x8020000000000000328660Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328659Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137560%%1460836 5156101281000x8020000000000000328662Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137610.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328661Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137660%%1460836 4703001331700x8020000000000000328663Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91C:\Program Files\Mozilla Firefox\firefox.exe0x10d8SeDebugPrivilege- 5156101281000x8020000000000000328665Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137710.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328664Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137760%%1460836 5156101281000x8020000000000000328667Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137810.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328666Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137860%%1460836 5156101281000x8020000000000000328669Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155137910.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328668Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05137960%%1460836 5156101281000x8020000000000000328671Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe%%1459310.0.1.155138010.0.1.128089666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328670Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe0.0.0.05138060%%1460836 4689001331300x8020000000000000328675Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10xd50C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000328674Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70xd50C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328673Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10xa18C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000328672Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70xa18C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328679Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x132cC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 4688201331200x8020000000000000328678Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x132cC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328677Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138110.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328676Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138160%%1460836 4689001331300x8020000000000000328681Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328680Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328685Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1078C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000328684Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1078C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328683Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x758C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328682Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x758C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328687Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10xabcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 4688201331200x8020000000000000328686Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70xabcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328689Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138210.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328688Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138260%%1460836 5156101281000x8020000000000000328691Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328690Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138360%%1460836 4688201331200x8020000000000000336711Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x4ccC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336710Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xa70C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336712Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x45cC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000336716Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x50ee663 4624201254400x8020000000000000336715Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x50ee663KerberosKerberos-{48238CC2-5DA9-80AE-5604-EA8624F76BA0}--00x0-::154152%%1833---%%18430x0%%1842 4672001254800x8020000000000000336714Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x50ee66SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000336713Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xc68C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336718Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1298C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328693Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328692Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138460%%1460836 4688201331200x8020000000000000336717Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x4fcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336719Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328695Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328694Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138560%%1460836 5152001280900x8010000000000000328696Securitywin-host-ctus-attack-range-1150-%%1459210.0.1.12808910.0.1.1551380667085%%1459713 5156101281000x8020000000000000328698Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138610.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328697Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138660%%1460836 4703001331700x8020000000000000328711Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328710Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328709Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328708Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328707Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328706Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4670001357000x8020000000000000328705Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0xfa8D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x35cC:\Windows\System32\svchost.exe 4703001331700x8020000000000000328704Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328703Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328702Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328701Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328700Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328699Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4634001254500x8020000000000000336730Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511c423 4634001254500x8020000000000000336729Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511d523 4634001254500x8020000000000000336728Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511da23 4624201254400x8020000000000000336727Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x511e603KerberosKerberos-{4AFBF4EE-25EE-6557-622C-FB526D42463B}--00x0-fe80::8d82:ead9:cfe2:12d154159%%1840---%%18430x0%%1842 4672001254800x8020000000000000336726Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511e60SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000336725Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x511da23KerberosKerberos-{4AFBF4EE-25EE-6557-622C-FB526D42463B}--00x0-10.0.1.1454158%%1833---%%18430x0%%1842 4672001254800x8020000000000000336724Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511da2SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000336723Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x511d523KerberosKerberos-{4AFBF4EE-25EE-6557-622C-FB526D42463B}--00x0-::10%%1833---%%18430x0%%1842 4672001254800x8020000000000000336722Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511d52SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4624201254400x8020000000000000336721Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x511c423KerberosKerberos-{4AFBF4EE-25EE-6557-622C-FB526D42463B}--00x0-fe80::8d82:ead9:cfe2:12d154157%%1833---%%18430x0%%1842 4672001254800x8020000000000000336720Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511c42SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 5156101281000x8020000000000000328713Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138710.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328712Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138760%%1460836 5156101281000x8020000000000000328715Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138810.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328714Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138860%%1460836 5152001280900x8010000000000000328716Securitywin-host-ctus-attack-range-1150-%%145922.57.122.2093331610.0.1.1580667085%%1459713 4634001254500x8020000000000000336731Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x511e603 5156101281000x8020000000000000328718Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155138910.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328717Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05138960%%1460836 4634001254500x8020000000000000336734Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x5134603 4624201254400x8020000000000000336733Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x5134603KerberosKerberos-{C9441515-5967-BAF8-BCE3-09F3F9050C8F}--00x0-10.0.1.1454163%%1833---%%18430x0%%1842 4672001254800x8020000000000000336732Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x513460SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4634001254500x8020000000000000336737Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x5135bd3 4624201254400x8020000000000000336736Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x5135bd3KerberosKerberos-{C9441515-5967-BAF8-BCE3-09F3F9050C8F}--00x0-10.0.1.1454164%%1833---%%18430x0%%1842 4672001254800x8020000000000000336735Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x5135bdSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 5156101281000x8020000000000000328720Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139010.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328719Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139060%%1460836 4689001331300x8020000000000000328722Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x00x1428C:\Windows\System32\conhost.exe 4689001331300x8020000000000000328721Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910xc000013a0x13d4C:\Windows\System32\cmd.exe 5156101281000x8020000000000000328724Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139110.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328723Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139160%%1460836 4688201331200x8020000000000000328729Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x13d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328728Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x11d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000328727Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x11d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328726Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe%%1459310.0.1.155139210.0.1.128089666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328725Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe0.0.0.05139260%%1460836 4688201331200x8020000000000000328739Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1550C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328738Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x171cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4688201331200x8020000000000000328737Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x171cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000328736Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x618C:\Windows\System32\conhost.exe%%19360x1258\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4658001280000x8020000000000000328735Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0x1ab80xf7cC:\Windows\explorer.exe 4656101280000x8020000000000000328734Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityFileC:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms0x1ab8{00000000-0000-0000-0000-000000000000}%%1538 %%1541 %%4416 %%4419 %%4423 %%1538: %%1801 D:(A;;0x1200a9;;;BA) %%1541: %%1801 D:(A;;0x1200a9;;;BA) %%4416: %%1801 D:(A;;0x1200a9;;;BA) %%4419: %%1801 D:(A;;0x1200a9;;;BA) %%4423: %%1801 D:(A;;0x1200a9;;;BA) 0x120089-00xf7cC:\Windows\explorer.exe- 4658001280000x8020000000000000328733Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0xd480xf7cC:\Windows\explorer.exe 4690001280700x8020000000000000328732Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x1ab80xf7c0xd480x4 4688201331200x8020000000000000328731Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x1258C:\Windows\System32\cmd.exe%%19360xf7c"cmd.exe" /s /k pushd "C:\Temp\poc_2"NULL SID--0x0C:\Windows\explorer.exeMandatory Label\High Mandatory Level 4689001331300x8020000000000000328730Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x13d0C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 4689001331300x8020000000000000328740Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1550C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328743Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328742Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x2b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4688201331200x8020000000000000328741Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x2b0C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328744Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4689001331300x8020000000000000328748Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1630C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 4688201331200x8020000000000000328747Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1630C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328746Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328745Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139360%%1460836 5156101281000x8020000000000000328750Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328749Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139460%%1460836 5156101281000x8020000000000000328753Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe%%1459310.0.1.155139510.0.1.168081666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328752Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe0.0.0.05139560%%1460836 4688201331200x8020000000000000328751Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x570C:\Temp\poc_2\c2_agent.exe%%19360x1258c2_agent.exe 10.0.1.16NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000336739Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x121cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336738Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x8bcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328758Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139610.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328757Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139660%%1460836 5156101281000x8020000000000000328756Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155957710.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328755Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::59577170%%1460838 5158001281000x8020000000000000328754Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::59577170%%1460836 4688201331200x8020000000000000336740Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x954C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4634001254500x8020000000000000336744Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x517b553 4624201254400x8020000000000000336743Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x517b553KerberosKerberos-{48238CC2-5DA9-80AE-5604-EA8624F76BA0}--00x0-::154171%%1833---%%18430x0%%1842 4672001254800x8020000000000000336742Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x517b55SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000336741Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xd30C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336746Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336745Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xd1cC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336747Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x13ecC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328760Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139710.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328759Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139760%%1460836 4703001331700x8020000000000000328761Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91C:\Temp\poc_2\c2_agent.exe0x570SeDebugPrivilege- 5156101281000x8020000000000000328763Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe%%1459310.0.1.155139810.0.1.168081666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328762Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe0.0.0.05139860%%1460836 5156101281000x8020000000000000328766Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155139910.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328765Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05139960%%1460836 5152001280900x8010000000000000328764Securitywin-host-ctus-attack-range-1150-%%1459210.0.1.12808910.0.1.1551392667085%%1459713 4703001331700x8020000000000000328779Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328778Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328777Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328776Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328775Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328774Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4670001357000x8020000000000000328773Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0x1978D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x35cC:\Windows\System32\svchost.exe 4703001331700x8020000000000000328772Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328771Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328770Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328769Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328768Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328767Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4689001331300x8020000000000000328790Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x00x1688C:\Windows\System32\calc.exe 4688201331200x8020000000000000328789Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70xaccC:\Windows\System32\win32calc.exe%%19360x1688"C:\Windows\System32\win32calc.exe" NULL SID--0x0C:\Windows\System32\calc.exeMandatory Label\System Mandatory Level 4673001305600x8020000000000000328788Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NT Local Security Authority / Authentication ServiceLsaRegisterLogonProcess()SeTcbPrivilege0x26cC:\Windows\System32\lsass.exe 4688201331200x8020000000000000328787Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10bcC:\Windows\System32\svchost.exe%%19360x264C:\Windows\system32\svchost.exe -k wsappxNULL SID--0x0C:\Windows\System32\services.exeMandatory Label\System Mandatory Level 4670001357000x8020000000000000328786Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0x378D:(A;;GA;;;SY)(A;;RCGXGR;;;BA)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-1949724575-2387902436-65106593-1201171665-3967308604)(A;;GA;;;S-1-5-80-65843127-2189646064-2697706863-2125155322-3141006483)0x264C:\Windows\System32\services.exe 4672001254800x8020000000000000328785Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e7SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege 4624201254400x8020000000000000328784Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NT AUTHORITY\SYSTEMSYSTEMNT AUTHORITY0x3e75Advapi Negotiate-{00000000-0000-0000-0000-000000000000}--00x264C:\Windows\System32\services.exe--%%1833---%%18430x0%%1842 4688201331200x8020000000000000328783Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1688C:\Windows\System32\calc.exe%%19360x570"calc.exe"NULL SID--0x0C:\Temp\poc_2\c2_agent.exeMandatory Label\System Mandatory Level 4673001305600x8020000000000000328782Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NT Local Security Authority / Authentication ServiceLsaRegisterLogonProcess()SeTcbPrivilege0x26cC:\Windows\System32\lsass.exe 5156101281000x8020000000000000328781Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140010.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328780Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140060%%1460836 5156101281000x8020000000000000328792Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe%%1459310.0.1.155140110.0.1.168081666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328791Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe0.0.0.05140160%%1460836 4689001331300x8020000000000000328793Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x00xaccC:\Windows\System32\win32calc.exe 5156101281000x8020000000000000328795Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140210.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328794Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140260%%1460836 5156101281000x8020000000000000328797Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328796Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140360%%1460836 5156101281000x8020000000000000328808Securitywin-host-ctus-attack-range-1154312\device\harddiskvolume1\program files\mozilla firefox\firefox.exe%%1459310.0.1.1557050142.250.191.1644431766774%%1461148S-1-0-0S-1-0-0 5156101281000x8020000000000000328807Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155888710.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328806Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::58887170%%1460838 5158001281000x8020000000000000328805Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::58887170%%1460836 5156101281000x8020000000000000328804Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.156071710.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328803Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::60717170%%1460838 5158001281000x8020000000000000328802Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::60717170%%1460836 5158001281000x8020000000000000328801Securitywin-host-ctus-attack-range-1154312\device\harddiskvolume1\program files\mozilla firefox\firefox.exe0.0.0.057050170%%1460836 5156101281000x8020000000000000328800Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155704910.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328799Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::57049170%%1460838 5158001281000x8020000000000000328798Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::57049170%%1460836 5156101281000x8020000000000000328813Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155471010.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328812Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::54710170%%1460838 5158001281000x8020000000000000328811Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::54710170%%1460836 5156101281000x8020000000000000328810Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328809Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140460%%1460836 5156101281000x8020000000000000328815Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328814Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140560%%1460836 4688201331200x8020000000000000328820Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x81cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328819Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 4688201331200x8020000000000000328818Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1f8C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328817Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe%%1459310.0.1.155140610.0.1.128089666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328816Securitywin-host-ctus-attack-range-1152000\device\harddiskvolume1\program files\splunkuniversalforwarder\bin\splunkd.exe0.0.0.05140660%%1460836 4689001331300x8020000000000000328823Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 4688201331200x8020000000000000328822Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328821Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x81cC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 4689001331300x8020000000000000328827Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1310C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328826Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1310C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328825Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140710.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328824Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140760%%1460836 4688201331200x8020000000000000328830Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x614C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328829Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x16b4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 4688201331200x8020000000000000328828Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x16b4C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4689001331300x8020000000000000328838Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x00x1344C:\Windows\System32\eventvwr.exe 4688201331200x8020000000000000328837Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910xff0C:\Windows\System32\mmc.exe%%19360x1344"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" NULL SID--0x0C:\Windows\System32\eventvwr.exeMandatory Label\High Mandatory Level 4658001280000x8020000000000000328836Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0x22f00xf7cC:\Windows\explorer.exe 4656101280000x8020000000000000328835Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityFileC:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms0x22f0{00000000-0000-0000-0000-000000000000}%%1538 %%1541 %%4416 %%4419 %%4423 %%1538: %%1801 D:(A;;0x1200a9;;;BA) %%1541: %%1801 D:(A;;0x1200a9;;;BA) %%4416: %%1801 D:(A;;0x1200a9;;;BA) %%4419: %%1801 D:(A;;0x1200a9;;;BA) %%4423: %%1801 D:(A;;0x1200a9;;;BA) 0x120089-00xf7cC:\Windows\explorer.exe- 4658001280000x8020000000000000328834Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0xee80xf7cC:\Windows\explorer.exe 4690001280700x8020000000000000328833Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x22f00xf7c0xee80x4 4688201331200x8020000000000000328832Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x1344C:\Windows\System32\eventvwr.exe%%19360xf7c"C:\Windows\system32\eventvwr.exe" NULL SID--0x0C:\Windows\explorer.exeMandatory Label\High Mandatory Level 4689001331300x8020000000000000328831Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x614C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 4703001331700x8020000000000000328855Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91C:\Windows\System32\mmc.exe0xff0SeSecurityPrivilege- 4689001331300x8020000000000000328854Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x10x1718C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 4688201331200x8020000000000000328853Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e70x1718C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360x7d0"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4673001305600x8020000000000000328852Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security-SeCreateGlobalPrivilege0xff0C:\Windows\System32\mmc.exe 4656101280000x8010000000000000328851Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityFileC:\Windows\System32\eventvwr.msc0x0{00000000-0000-0000-0000-000000000000}%%1538 %%1541 %%4417 %%4418 %%4420 %%4423 %%4424 %%1538: %%1801 D:(A;;0x1200a9;;;BA) %%1541: %%1801 D:(A;;0x1200a9;;;BA) %%4417: %%1805 %%4418: %%1805 %%4420: %%1805 %%4423: %%1811 D:(A;;0x1301bf;;;BA) %%4424: %%1805 0x120196-00xff0C:\Windows\System32\mmc.exe- 4658001280100x8020000000000000328850Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0x3600xff0C:\Windows\System32\mmc.exe 4656101280100x8020000000000000328849Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityKey\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates0x360{00000000-0000-0000-0000-000000000000}%%1537 %%1538 %%4432 %%4433 %%4434 %%4435 %%4436 -0x3001f-00xff0C:\Windows\System32\mmc.exe- 4658001280100x8020000000000000328848Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0xc880xff0C:\Windows\System32\mmc.exe 4690001280700x8020000000000000328847Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x3600xff00xc880x4 4658001280100x8020000000000000328846Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0x35c0xff0C:\Windows\System32\mmc.exe 4656101280100x8020000000000000328845Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityKey\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates0x35c{00000000-0000-0000-0000-000000000000}%%1537 %%1538 %%4432 %%4433 %%4434 %%4435 %%4436 -0x3001f-00xff0C:\Windows\System32\mmc.exe- 4658001280100x8020000000000000328844Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0xc880xff0C:\Windows\System32\mmc.exe 4690001280700x8020000000000000328843Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x35c0xff00xc880x4 4658001280100x8020000000000000328842Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0x3580xff0C:\Windows\System32\mmc.exe 4656101280100x8020000000000000328841Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91SecurityKey\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates0x358{00000000-0000-0000-0000-000000000000}%%1537 %%1538 %%4432 %%4433 %%4434 %%4435 %%4436 -0x3001f-00xff0C:\Windows\System32\mmc.exe- 4658001280100x8020000000000000328840Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91Security0xc880xff0C:\Windows\System32\mmc.exe 4690001280700x8020000000000000328839Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b910x3580xff00xc880x4 4703001331700x8020000000000000328856Securitywin-host-ctus-attack-range-115WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91WIN-HOST-CTUS-A\AdministratorAdministratorWIN-HOST-CTUS-A0x288b91C:\Windows\System32\mmc.exe0xff0SeSecurityPrivilege- 5156101281000x8020000000000000328860Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe%%1459310.0.1.155140910.0.1.168081666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328859Securitywin-host-ctus-attack-range-1151392\device\harddiskvolume1\temp\poc_2\c2_agent.exe0.0.0.05140960%%1460836 5156101281000x8020000000000000328858Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155140810.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328857Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05140860%%1460836 5156101281000x8020000000000000328867Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155141172.21.81.24080666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328866Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe0.0.0.05141160%%1460836 5156101281000x8020000000000000328865Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155660210.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328864Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::56602170%%1460838 5158001281000x8020000000000000328863Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::56602170%%1460836 5156101281000x8020000000000000328862Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155141010.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328861Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05141060%%1460836 4688201331200x8020000000000000336749Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x6c8C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336748Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x11ecC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336750Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328870Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe%%1459310.0.1.155954710.0.1.14531766774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328869Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::59547170%%1460838 5158001281000x8020000000000000328868Securitywin-host-ctus-attack-range-1151192\device\harddiskvolume1\windows\system32\svchost.exe::59547170%%1460836 4634001254500x8020000000000000336754Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x51fd1e3 4624201254400x8020000000000000336753Securitywin-dc-ctus-attack-range-146.attackrange.localNULL SID--0x0NT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE.LOCAL0x51fd1e3KerberosKerberos-{48238CC2-5DA9-80AE-5604-EA8624F76BA0}--00x0-::154184%%1833---%%18430x0%%1842 4672001254800x8020000000000000336752Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x51fd1eSeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege 4688201331200x8020000000000000336751Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x7c8C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336756Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x112cC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328872Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155141210.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328871Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05141260%%1460836 4688201331200x8020000000000000336755Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70xe44C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 4688201331200x8020000000000000336757Securitywin-dc-ctus-attack-range-146.attackrange.localNT AUTHORITY\SYSTEMWIN-DC-CTUS-ATT$ATTACKRANGE0x3e70x11b8C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe%%19360xacc"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"NULL SID--0x0C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeMandatory Label\System Mandatory Level 5156101281000x8020000000000000328874Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155141310.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328873Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05141360%%1460836 5152001280900x8010000000000000328875Securitywin-host-ctus-attack-range-1150-%%1459210.0.1.12808910.0.1.1551406667085%%1459713 5156101281000x8020000000000000328877Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155141410.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328876Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05141460%%1460836 4703001331700x8020000000000000328890Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328889Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328888Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328887Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328886Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328885Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4670001357000x8020000000000000328884Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7SecurityToken-0x1b04D:(A;;GA;;;SY)(A;;GA;;;NS)D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-615999462-62705297-2911207457-59056572-3668589837)0x35cC:\Windows\System32\svchost.exe 4703001331700x8020000000000000328883Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328882Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328881Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328880Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328879Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 4703001331700x8020000000000000328878Securitywin-host-ctus-attack-range-115NT AUTHORITY\SYSTEMWIN-HOST-CTUS-A$WORKGROUP0x3e7NULL SIDWIN-HOST-CTUS-A$WORKGROUP0x3e7C:\Windows\System32\svchost.exe0x35cSeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemtimePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeSystemEnvironmentPrivilege SeUndockPrivilege SeManageVolumePrivilege- 5156101281000x8020000000000000328892Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe%%1459310.0.1.155141510.0.1.128000666774%%1461148S-1-0-0S-1-0-0 5158001281000x8020000000000000328891Securitywin-host-ctus-attack-range-1153280\device\harddiskvolume1\program files\splunkuniversalforwarder\etc\apps\splunk_ta_stream\windows_x86_64\bin\streamfwd.exe0.0.0.05141560%%1460836