"Account_Domain","Account_Name",ActivityID,Address,AddressLength,Archived,AuthenticationPackageName,BitlockerUserInputTime,BootMenuPolicy,BootMode,BootType,BuildVersion,CallTrace,"Caller_Computer_Name","Caller_Domain","Caller_Logon_ID","Caller_Machine_Name","Caller_User_Name",CategoryString,CertIssuerName,CertSerialNumber,CertThumbprint,"Change_Type",Channel,ClientInfo,"Client_Address","Client_Domain","Client_Logon_ID","Client_Machine_Name","Client_User_Name",CommandLine,Company,Computer,ComputerName,Config,Consumer,CorruptionActionState,CreationUtcTime,CurrentDirectory,"Default_SD_String_",Description,Destination,DestinationHostname,DestinationIp,DestinationIsIpv6,DestinationPort,DestinationPortName,Detail,Details,DeviceName,DeviceNameLength,DeviceTime,DeviceVersionMajor,DeviceVersionMinor,Domain,DriveName,DwordVal,ElevatedToken,EnableDisableReason,EntryCount,"Error_Code",EventChannel,EventCode,"EventData_Xml",EventDescription,EventID,EventRecordID,EventSourceName,EventType,ExtraInfoLength,ExtraInfoString,FileName,FileVersion,Filter,FilterID,FinalStatus,GrantedAccess,Group,"Group_Domain","Group_Name","Group_Type_Change",Guid,Hashes,ID,IMPHASH,IdleImplementation,IdleStateCount,Image,ImageLoaded,"Image_File_Name",ImpersonationLevel,Initiated,IntegrityLevel,Interface,IpAddress,IpPort,IsExecutable,IsTestConfig,KeyFilePath,KeyLength,Keywords,LastBootGood,LastShutdownGood,Level,LmPackageName,LoadOptions,"LogFileCleared_Xml",LogonGuid,LogonId,LogonProcessName,LogonType,"Logon_Account","Logon_ID","Logon_Type","Logon_account",MD5,MajorVersion,MandatoryLabel,MaximumPerformancePercent,"Member_ID","Member_Name",Message,MessageNumber,MessageTotal,MinimumPasswordLength,MinimumPasswordLengthAudit,MinimumPerformancePercent,MinimumThrottlePercent,MinorVersion,Name,NewProcessId,NewProcessName,NewTime,"New_Account_Name","New_Domain",NominalFrequency,Number,ObjectName,OldTime,Opcode,OriginalFileName,ParentCommandLine,ParentImage,ParentProcessGuid,ParentProcessId,ParentProcessName,Path,PerformanceImplementation,PipeName,PreAuthType,PreviousTime,"Primary_Domain","Primary_User_Name",PrivilegeList,ProcessGuid,ProcessID,ProcessId,ProcessName,"Process_Command_Line",Product,Protocol,ProtocolType,QfeVersion,Qualifiers,QueryName,QueryResults,QueryStatus,Reason,RecordID,RecordNumber,RegistryValueData,RegistryValueType,"RenderingInfo_Xml",RestrictedAdminMode,RuleName,RunspaceId,SHA256,SchemaVersion,ScriptBlockId,ScriptBlockText,SecurityID,"Security_ID",ServiceName,ServiceSid,ServiceVersion,ShutdownActionType,ShutdownEventCode,ShutdownReason,Signature,SignatureStatus,Signed,SourceHostname,SourceImage,SourceIp,SourceIsIpv6,SourcePort,SourcePortName,SourceProcessGUID,SourceProcessId,SourceThreadId,"Source_Network_Address","Source_Port","Source_Workstation",StartTime,State,Status,SubStatus,SubjectDomainName,SubjectLogonId,SubjectUserName,SubjectUserSid,"Supplied_Realm_Name",SystemTime,"System_Props_Xml",TSId,TargetDomainName,TargetFilename,TargetImage,TargetInfo,TargetLinkedLogonId,TargetLogonGuid,TargetLogonId,TargetObject,TargetOutboundDomainName,TargetOutboundUserName,TargetProcessGUID,TargetProcessId,TargetProcessName,TargetServerName,TargetSid,TargetUserName,TargetUserSid,"Target_Account_ID","Target_Account_Name","Target_Domain","Target_Server_Name","Target_User_Name",Task,TerminalSessionId,ThreadID,TicketEncryptionType,TicketOptions,TimeCreated,TimeSource,TokenElevationType,"Token_Elevation_Type",TransmittedServices,User,"UserData_Xml",UserID,UserSid,"User_ID","User_Name",UtcTime,Version,VirtualAccount,VirtualizationID,VsmPolicy,Workstation,WorkstationName,"Workstation_Name","_raw","_time",action,"answer_count",app,body,category,"change_type",count,"creation_time","date_hour","date_mday","date_minute","date_month","date_second","date_wday","date_year","date_zone",description,dest,"dest_host","dest_ip","dest_nt_domain","dest_port",direction,duration,dvc,"dvc_ip","dvc_nt_host",endtime,"event_id",eventtype,"file_access_time","file_create_time","file_hash","file_modify_time","file_name","file_path","granted_access",host,"http_referrer","http_referrer_domain",id,index,"initial_rtt",linecount,name,"new_process",object,"object_attrs","object_category","object_id","object_path","original_file_name",os,packets,param1,param10,param11,param12,param2,param3,param4,param5,param6,param7,param8,param9,"parent_process","parent_process_exec","parent_process_guid","parent_process_id","parent_process_name","parent_process_path","pipe_name",process,"process_current_directory","process_exec","process_guid","process_hash","process_id","process_integrity_level","process_name","process_path",product,protocol,"protocol_version",punct,query,"query_count","registry_hive","registry_key_name","registry_path","registry_value_data","registry_value_name","registry_value_type","reply_code_id",result,rule,service,"service_dll_signature_exists","service_dll_signature_verified","service_id","service_name","service_signature_exists","service_signature_verified","session_id",severity,"severity_id",signature,"signature_id",source,sourcetype,"splunk_server","splunk_server_group",src,"src_address","src_function","src_host","src_ip","src_module","src_port","src_user","src_user_name","ssl_cert_md5","ssl_cert_self_signed","ssl_cert_sha1","ssl_cert_sha256","ssl_end_time","ssl_hash","ssl_issuer","ssl_issuer_common_name","ssl_issuer_country","ssl_issuer_email","ssl_issuer_locality","ssl_issuer_organization","ssl_issuer_state","ssl_serial","ssl_start_time","ssl_subject","ssl_subject_common_name","ssl_subject_organization","ssl_validity_end","ssl_validity_start",state,status,subject,"ta_windows_action","ta_windows_security_CategoryString","ta_windows_status",tag,"tag::Logon_Type","tag::action","tag::app","tag::eventtype","tag::object_category",timeendpos,timestamp,timestartpos,transport,"transport_dest_port","uri_path",url,"url_domain","url_length",user,"user_group","user_group_id","user_id","user_name","user_type",vendor,"vendor_privilege","vendor_product","vxlan_id"
,,,,,,,,,,,,,,,,,,,,,,,"Microsoft-Windows-Sysmon/Operational",,,,,,,"C:\Windows\system32\cmd.exe /S /D /c"" dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == ""Login Data"" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul""","Microsoft Corporation","win-dc-ctus-attack-range-657.attackrange.local",,,,,,"C:\",,"Windows Command Processor",,,,,,,,,,,,,,,,,,,,,"Microsoft-Windows-Sysmon/Operational",1,"-2022-11-30 13:20:43.985{89C4FCAF-58AB-6387-2514-000000009402}6568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c"" dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == ""Login Data"" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul""C:\ATTACKRANGE\Administrator{89C4FCAF-46B7-6387-1220-3C0000000000}0x3c20122HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{89C4FCAF-57DF-6387-6308-000000009402}5892C:\Windows\System32\cmd.exe""cmd.exe"" /s /k pushd ""C:\Users\Public""","Process creation",1,150703,,,,,,"10.0.14393.0 (rs1_release.160715-1616)",,,,,,,,,"'{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'","MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A",,3062ED732D4B25D1C64F084DAC97D37A,,,"C:\Windows\System32\cmd.exe",,,,,High,,,,,,,,0x8000000000000000,,,4,,,,"{89C4FCAF-46B7-6387-1220-3C0000000000}",0x3c2012,,,,,,,F4F684066175B77E0C3A000549D2922C,,,,,,,,,,,,,,"'Microsoft-Windows-Sysmon'",,,,,,,,,,0,"Cmd.Exe","""cmd.exe"" /s /k pushd ""C:\Users\Public""","C:\Windows\System32\cmd.exe","{89C4FCAF-57DF-6387-6308-000000009402}",5892,,,,,,,,,,"{89C4FCAF-58AB-6387-2514-000000009402}","'2528'",6568,,,"Microsoft® Windows® Operating System",,,,,,,,,150703,150703,,,,,"-",,935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,,,,"S-1-5-18",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"'2022-11-30T13:20:43.991766400Z'","154100x8000000000000000150703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local",,,,,,,,,,,,,,,,,,,,,,,,1,2,"'2200'",,,"2022-11-30T13:20:43.991766400Z",,,,,"ATTACKRANGE\Administrator",,"'S-1-5-18'",,,,"2022-11-30 13:20:43.985",5,,,,,,,"154100x8000000000000000150703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:20:43.985{89C4FCAF-58AB-6387-2514-000000009402}6568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c"" dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == ""Login Data"" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul""C:\ATTACKRANGE\Administrator{89C4FCAF-46B7-6387-1220-3C0000000000}0x3c20122HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{89C4FCAF-57DF-6387-6308-000000009402}5892C:\Windows\System32\cmd.exe""cmd.exe"" /s /k pushd ""C:\Users\Public""","2022-11-30T13:20:43.000+0000",allowed,,,,,,,,,,,,,,,,,"win-dc-ctus-attack-range-657.attackrange.local",,,,,,,,,"WIN-DC-CTUS-ATT",,150703,"endpoint_services_processes err0r ms-sysmon-process nix_errors windows_event_signature",,,,,,,,"WIN-DC-CTUS-ATT",,,150703,win,,1,,,,,,,,"Cmd.Exe","Microsoft Windows",,,,,,,,,,,,,,"""cmd.exe"" /s /k pushd ""C:\Users\Public""","cmd.exe","{89C4FCAF-57DF-6387-6308-000000009402}",5892,"cmd.exe","C:\Windows\System32\cmd.exe",,"C:\Windows\system32\cmd.exe /S /D /c"" dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == ""Login Data"" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul""","C:\","cmd.exe","{89C4FCAF-58AB-6387-2514-000000009402}","MD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A",6568,High,"cmd.exe","C:\Windows\System32\cmd.exe",,,,"<_='://../////'><><_='--'_='{----}'/><>><>><><",,,,,,,,,,,,,,,,,,,,,,"Process creation",1,"XmlWinEventLog:Microsoft-Windows-Sysmon/Operational",xmlwineventlog,"splunk-server-ctus-attack-range-793",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"error
process
report
track_event_signatures",,,,"error
process
report
track_event_signatures",,,,,,,,,,,Administrator,,,"'S-1-5-18'",,,,,"Microsoft Sysmon",